Not a Trick Security-Related Question....

I'm delivering an ITIL Foundation class this week. As part of ITIL Foundation we always cover a very brief process in v3 about designing information security.

For all intents and purposes, the best practice is that security requirements that are designed and built into services should be in-line with business needs, and should ultimately be driven by business requirements.

I'm not some best practice bigot that doesn't realize that best practices tend to be ideals; in practice we see all types of approaches, many in line with best practice and others at some point in a maturity continuum relative to best practice.

In my experience, I've mostly seen information security requirements in line with the best practice, that is, driven directly by business needs. I agree that there are times where I have seen a risk function or information security group impose requirements upon a business unit, but it seems that as time has gone on, this as become less common. Also, please keep in mind that my experience is primarily in the financial services industry, so my perspective might be a bit jaded by that industry.

To get to the point, one of the students in the class this week does information security work as his job. When we were discussing the ITIL information about information security (which is high-level), he adamantly disagreed with what was said. He indicated to me that information security has to drag the business along kicking and screaming and "make" them follow security policies and guidelines. Moreover, he indicated that it is never the business that drives security requirements.

I believe that perhaps his thoughts are clouded by his limited world view, but I'm not really one to waste my breath arguing with people about this stuff. I really don't have to be "right"; and I don't think it's necessarily my job to try to beat down perceptions that are so strongly ingrained, for whatever reason. Also, I'm not the one that has to take the 40 question ITIL Foundation exam at the end of the class....

The reason that I'm posting this here is because I would like to get the thoughts of some of the information security practitioners on here that do this work for a living. Do you often see the business driving IT security requirements, or is it the other way around? Additionally, how do you think it should work?

If you can provide stories to exemplify your responses, that would be great.

Thanks,

MS

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

kimanyd

Business drives security needs. If it were the other way around, we'd secure things so much that no one would be able to do anything

eMeS

kimanyd wrote: »

Business drives security needs. If it were the other way around, we'd secure things so much that no one would be able to do anything

What the guy was saying made little sense to me....thank you for confirming that I'm not insane...

MS

msteinhilber

If business didn't drive IT security requirements, I would have to question why a lot of businesses begin to take security more serious only after there is an incident of significant magnitude. In those examples, I suppose you could argue that the IT staff were lazy and didn't care to implement security but I know the majority of my peers working in IT generally embrace being able to put good security measures in place - it helps them learn new skills and helps keep their time away from dealing with issues related to the lack of security.

My former employer, a regional computer retailer of 20 stores, is a prime example of this situation. The IT staff within the organization mentioned time and time again at monthly managers meetings that there needed to be serious upgrades in their infrastructure both related to security as well as availability (they also operated an ISP operation) since there was minimal security in place, and no backup equipment and basic rackmount UPS equipment with no generator to keep the ISP operations running.

How things typically went at these managers meetings was often the same. The IT staff proposes the need for the upgrades. The cost was presented, and the managers scoffed at the price. This was mostly due to the fact that the way the business was run, all expenses were deducted from the managers P&L. So if the upgrades cost 500k over the run of a year, and my store accounted for 20% of the companies sales (not uncommon in some of our high traffic stores) then I would be accountable for roughly 8.3k of the purchase that month since corporate overhead expenses were assigned to locations based on percent of sales. Clearly, many managers weren't forward thinking enough to consider the "what if's" and only looked at their P&L with their commission now reduced until the debt was paid.

Several months after I left the company, I was speaking to a friend who was the network engineer. He was given a huge budget to harden security. Turns out they had a breach that potentially revealed the credit card information of some 65k users. The news found out, stories were run, phones rang off the hook in the branch offices from concerned customers. Needless to say, they ponied up the cost to modernize their security measures. They went for years neglecting security because the business didn't see the demand for it. Once the **** hit the fan, it was no problem.

Clearly not all businesses wait until problems arise before they take security seriously, but I can't help but think stories like these don't help prompt executives to put security practitioners in place. If that isn't the business driving security needs I don't know what is. It sounds like the guy in your class just had a big head and felt like flexing his "i'm in control of my organization" muscles.

rsutton

wrote:

He indicated to me that information security has to drag the business along kicking and screaming and "make" them follow security policies and guidelines. Moreover, he indicated that it is never the business that drives security requirements.

I would say my experience would agree with this to an extent. But it's not that black and white. There are groups and individuals that see the benefit of a strong security model and there are those that don't. It comes down to perceived risk:control. Experience will surely impact that decision.

I also think there is nothing wrong with that. We don't tighten out home computers down like we would our work computers. And we don't tighten our work computers the same as we would our DC's. The risk does not warrant the inconvenience.

Given that IT guys have a firmer grip on what should be secured and what shouldn't, and more importantly to what extent, I think it only makes sense for them to design the policies for the business.

This is also why you generally have someone who acts as a buffer between the technician and the business. The IT Director (for example) tries to find a balance between risk and control.

Where I have worked, the IT leadership is generally doing plenty of dragging in this regards.

RobertKaucher

eMeS wrote: »

What the guy was saying made little sense to me....thank you for confirming that I'm not insane...

MS

I think Dynamik and you are correct but the student has a valid point. Sometimes those who are in the position of dictating what the business needs are do not have adequate understanding of what is required from a security perspective and therefore DO need to be dragged kicking and screaming. One company I worked for briefely (relatively large - about 100 workstations) had no written security policy and believed that they not only did not need it, but did not need user accounts with passwords or any sort of file/folder level permissions. I was able to demonstrate several situations to them in which their data would be easily compromised: stolen, corrupted, or simply deleted. Their idea of business need was being able to walk up to any computer and get what they wanted immediately. No passwords, no fuss, just immediate and instant access.

It was impossible for me to convince them. I showed them how anyone could have stumbled onto the coporate Amex number, how any one could stumble upon HR data with SSNs, etc... They finally agreed and then went behind my back and forced employees to write down their passwords and tape them to the underside of their keyboards. This was in a very high traffic area, were employees would come and go and share PCs.

With the way they treated their employees (I don't mean poor pay or not promoting from within, I mean barating and degrading in front of other employees) I was amazed something had not happened yet. The situation was ripe for a pissed off employee to just delete everything on their little consumer NAS drive and never come back.

Met44

He indicated to me that information security has to drag the business along kicking and screaming and "make" them follow security policies and guidelines.

I agree with the idea behind this for the most part. If there is a policy set, part of IT's responsibility is to make sure people are following it. (How should one respond if you see a user's password written on a sticky note on the user's monitor?) They should have management's backing in this. If a policy is set and is not followed, there must be a reconciliation: enforce, update, or revoke it.

However, I disagree with him that anyone should be "kicking and screaming". If a user is not following policy, something is off... either they don't understand how important it is, or it really is an excessive policy (or they understand and wish to complain anyway). Kevin Mitnick has shown how valuable security awareness is for users.

Moreover, he indicated that it is never the business that drives security requirements.

Agreeing or disagreeing with this depends on how you interpret what he is saying. If he is claiming that, in reality, business never (maybe a better word is "infrequently") drives the security requirements, that may be a pretty true statement. That would explain why there are so many corporate security breaches always floating about in the news. However, if he is stating that business needs should not drive security requirements, well, that's silly. Security policy should be based on the results of a risk assessment. Most places do not need 15 character passwords changed every other month. Perhaps there are some that do. Not basing security implementations around a business's needs is like buying a pair of jeans without looking at the size. It's either going to be too tight, or someone is going to catch you with your pants down.

Paul Boz

Business needs should always dictate security, and that's the case in the majority of the environments that I go to. That is actually why most organizations have poor security policies and procedures. Think of it logically. If the business is hindered by security, there is no business. With no business you have no need for security.

RobertKaucher wrote: »

One company I worked for briefely (relatively large - about 100 workstations) had no written security policy and believed that they not only did not need it, but did not need user accounts with passwords or any sort of file/folder level permissions.

100 systems is (at least from my perspective) a small network. Typically in similarly sized environments there are weak policies and procedures in place. I just left a client with 3000 assets, for example, and they had the best policies and procedures I have seen.

RobertKaucher

Paul Boz wrote: »

Business needs should always dictate security, and that's the case in the majority of the environments that I go to. That is actually why most organizations have poor security policies and procedures. Think of it logically. If the business is hindered by security, there is no business. With no business you have no need for security.

Security should not unduly impede the business process. But this should not justify a culture of poor security. Poor security does not equal proper security just because the boss says it should. There must be a certain minimum standard that the majority of companies can follow without being overly encumbered. Being lazy is not a business need, but too many in management will tell you that this or that is not required because it restricts business when in fact what they mean is they are too lazy to deal with the perceived hassle it will create. The need to protect the company, its assets, its employees, and its customers from a threat IS a valid business need, not implementing a policy because a manager does not want to listen to Jane Doe, a 55 year old computer-illiterate complainer, gripe about having to change her password every 45 days is NOT a valid business need. Not authorizing the purchase of equipment because it will adversely impact the manager’s bonus is also not a valid business need. But then on the other side too many admins and security people do not perform the risk/benefit analysis and think that should really drive this question. Is the threat a real threat or a perceived threat? If the threat is real is the risk incurred by ignoring it greater than the investment in mitigating the risk? Just because something is cool or new in the IT Security industry is also not a valid business need.

What I believe the student may have been trying to express (and I am not sure) is that management cannot always be trusted with identifying what security measures are appropriate for the business. Yes, business must drive the security requirements but when management is not able to or willing to identify what security measures are required, they must be pulled kicking and screaming as much as possible.

coffeeking

eMeS wrote: »

He indicated to me that information security has to drag the business along kicking and screaming and "make" them follow security policies and guidelines. Moreover, he indicated that it is never the business that drives security requirements.
MS

I would have to agree with your student; but then it is not always true.
I think it largely varies from an organization to an organization. I do information security stuff at my job; and this is what we go through; having to pound users to follow processes, procedures and policies. This is largely due to the fact that the security department in our place in merely 5 years old; security before that was terrible from what I have heard. So this is definitely going to take time to change the culture. People just don't have the security mindset to conduct their daily operational activities. It also might have to do with the geographical location of your organization; western organizations are take it lot more serious. Organizations in eastern countries tend to think that "IT COULDN'T HAPPEN TO US" or "WE DEAL WITH IT WHEN IT HAPPENS". So you can imagine it is not easy to bring in stuff to enhance security; there has to be a strong reason to justify new stuff.

I have yet worked only in one place and this has been experience. Like I said it might be different in different places.

eMeS

Interesting to see the diverse replies...thank you all.

Also, let me apologize for posting in the wrong area...I guess I was really tired last night.

MS

GAngel

It depends on the environment. I know i've seen it both ways in my career.

RobertKaucher

coffeeking wrote: »

I would have to agree with your student; but then it is not always true.
I think it largely varies from an organization to an organization. I do information security stuff at my job; and this is what we go through; having to pound users to follow processes, procedures and policies. This is largely due to the fact that the security department in our place in merely 5 years old; security before that was terrible from what I have heard. So this is definitely going to take time to change the culture. People just don't have the security mindset to conduct their daily operational activities. It also might have to do with the geographical location of your organization; western organizations are take it lot more serious. Organizations in eastern countries tend to think that "IT COULDN'T HAPPEN TO US" or "WE DEAL WITH IT WHEN IT HAPPENS". So you can imagine it is not easy to bring in stuff to enhance security; there has to be a strong reason to justify new stuff.

I have yet worked only in one place and this has been experience. Like I said it might be different in different places.

You are giving far too much credit to companies in the West....