Lies we tell ourselves - 5 Misconceptions Information Security needs to change

disgruntled-employees.jpgIn spite of the state of disarray in the Information Security world where budgets are growing, and CISO's are receiving amandate from senior management - there is still an uneasy misunderstanding of what security is really about even amongst those who practice it.
  1. "Secure" is achievable - I think by now this is one of those myths about security that is fading quickly.  I've seen way to many pitches (from vendors, from peers, even internally) that have said "If you (business) gives us (security) X, we will "make you secure".  That idea was mental at best, or as the post here is called, an outright lie to ourselves which we passed on to others.  The problem with this mindset is this - not only is this mythical state of secure not achievable, but it's also unsustainable, and financially unquantifiable as a finite spend.  The prevailing feeling over the last couple of years is that it is possible to reach a state of equilibrium where technical risks are equal to or less than the financial cost to put us in that state.  The 'state' is on a continuum and every organization is comfortable with a different place on that continuum... and that's OK.
  2. "Enforcement" is possible - Many CISOs, mostly due to the train wrecks that have taken over the IT news, have gotten power, through mandate.  I can probably count on one hand the number of CISOs I directly know who understand that a mandate doesn't necessarily mean you "win", or that anyone that you have dominion over will do anything more than the bare minimum while you're watching them, but ignore you once you walk away.  Enforcement is not a way to secure an enterprise ... I've been quoted as saying (in a security context) "You can bring a horse to water, you may even drown it in the pond, but if it doesn't want to drink, it won't" ... which is true.  You can't force security onto a business staffed withpeople who have their own agendas, goals and objectives.  Sure, you may care about 'security' but odds are developers, project/program managers, operations staff, and other simply are not.  Their goals are business-driven objectives including "keep the business operational", "deliver faster" and things like that... all things you may be hindering with your 'mandate'.  So while you can attract bees with honey, trying to force them to fly your way probably won't work.
  3. "Control" is a reality - One of the major arguments I've personally heard about "public cloud" adoption is that it's insecure because the security group has no control over the actual security controls of the provider.  My point is this - if you think you (the security team) have had any measure of control over your organization's decision-making capability related to security, you're delusional.  In 3 out of 4 organizations that I've worked with in the last 4 years - and this may be biased based on the companies I've done business with - the security organization is dragged along by the rest of IT and the business kicking and screaming and trying to 'secure' the ever-increasing complexity that makes business run.  Acquisitions, product purchases, projects and integrations - security rarely, if ever has a decision-making capability (the ability to say "no, you cannot do this" when business gains, real or perceived, is on the line).  Forget trying to get or maintain control ... you're not going to want it when you have it, if you get it.  What you want is governance... you want the ability to provide policy and direction but allow others to adhere to it as it fits their roles and business - with the ability to audit and govern change and technical risk.  Trust me on this.
  4. "Security" is a business requirement - Does your CEO believe that security as a core business requirement?  If you're an organization that relies on extremely high levels of assurance and low risk - then maybe the answer is yes.  The other 99% of you, bad news ... security is just a component of doing business.  Sometimes security doesn't even matter, not one tiny bit.  When your senior leadership, those "C-levels" see the news and hear of millions of dollars in losses, embarrassment to the organization attributed to hacking ... odds are they think about it for a few minutes then go back to wondering how they're going to make their quarterly numbers appealing to your shareholders.  Security tends to be a concept that goes in one ear, rattles them a bit, and then quickly exits.  It's like people who don't wear seat belts who pass a vehicle wreck where the driver obviously wasn't wearing a seat belt and was killed... your mind says "wow, I should be wearing my seat belt, that's tragic!" but as soon as the accident is out of sight, it's back to out of mind and your conscience forgets.  Security is a component of doing business, and often incident response (and all that goes with it) is part of the cost of doing business - but security is rare, if ever, a "business requirement".  If you feel otherwise, let's talk, I want to hear the story.
  5. "Security" must be a cost center - Another fantastic myth many of us have resolved ourselves to, and I know I did in a previous life where I worked, is that security is a cost center and nothing more.  This is so not true!  Security, or the "Office of business resiliency" has much to offer the organization in terms of benefits that can overcome that "all you do is cost us money" barrier.  Again, it's that thinking 'outside the box' (sorry, had to do it) that has some successful CISOs contributing to the business in terms of helping it achieve business goals faster, while others are still stuck in the "department of no" mode.  Good security practices and principles can save your organization money in a real, measurable way, and it can contribute to making more money by getting to market faster, having more clients (that care about security, compliance, etc)... so stop thinking of security as just a cost center and start thinking of ways to help the business top or bottom lines.

 

Here's a thought - let's start thinking about enterprise resilience, which combines a whole boat-load of other things and drops in a healthy dose of security to make sure that your organization can detect, deter, respond in a manner that suits the business profile you're in.

 

It's time the information security organization gets over its hang-ups, misconceptions, and pre-dispositions to outdated thinking and gets with the new agile enterprise.

Comments
AlphavectorE(anon) | ‎05-25-2012 08:49 PM

Security, well its become such a different concept to me within the last week or so, Ill explain, in tthe only possible hope that the international communities, would look at the breeches in our communitiy not by faults of where these issues are arrizing from, security, vs. privacy,  Emails, cookies, the advancments in the cookies,  Ill , simply explain briefly, how a situation, of Identity can be overrun by advertizement disclousers,  Im fairly new to a believed truth that prevails to my own opinion, but, neverthe less the realitiy of the underlining truth, I beleve that tecnology the web has given the whole world such unpresident comminincation we must get past differences so are childeen and are culture can enjoy what we have stated in our community of intilegent communication, we must strive to keep our Identities as well as our beliefs and culture we must find and except that we are face with an issue becoming  so many possibility, right, wrongs, good bad , I now do not look or harbor those sympathy, I ask in humbleness that thru compassion we strive .....AlphavectorE.

secolive(anon) | ‎05-29-2012 04:49 AM

A few thoughts:

- as we discussed, security can be seen as a subset of resiliency; it can also be approached as a subset of quality (especially in development). When you integrate that, it's far easier to understand all the misconceptions you mention (try replacing "security" with "quality" above, and you'll see it is obvious).

- security as a business enabler: we all know the "brakes-are-for-going-fast" metaphor, but appart from this unusable metaphor I almost never saw things presented this way: I strongly believe that security can often be an enabler; I think this argument is vastly underused though.

 

Now, for the homework: how do we integrate resiliency, quality and business enablement?

-ds(anon) | ‎06-12-2012 08:10 AM

I disagree with how you've phrased #4, but I think I agree with the intent.  Security is of course a business requirement for more than just 1% and your attempt to dispute that is not logical (e.g., when you say "Security is a component of doing business", which I see as another way to say "requirement")

 

What you perhaps should have said is that we tell ourselves the lie that "Security is strategic".  I agree wholeheartedly that for most companies security is not a _strategic_ requirement, one that is on the board agenda every meeting, one that the CEO has on a daily dashboard, etc.  It's just another issue that has been delegated... important but not critical. 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation