Security Policy Pontification
I recently answered a question regarding why the security policies for remote access were difficult to manage and adapt to change. The question came through Linkedin from a PR professional.
“So why is the policy so hard to adapt? Is it an issue of internal politics? Network security not being flexible enough? Or is policy actually not hard to change at all and I’m just picking up on ‘the complainers’?”I
I dredged up all the fun and experience I’ve had with managing security for an organization and whipped up this response to the gentleman.
“I think you answered your question when you asked why is policy so hard to adapt?
Internal politics first off has doomed many sensible security efforts. From “Why can’t the VP have administrator access remotely to the email server?” to “I don’t want to have to remember/change my password”. Which usually leads to a bare bones approach to security as a whole. A metaphor for this is having a screen door on a submarine.
To touch on your next point, flexibility of network security, it’s not. Even though a hacker can break a password in three days with a mid-level system and a high-end graphics card, we haven’t adapted to this new reality. One-time passwords, tokens, biometrics, are still only utilized by a small segment of the population, mostly to government and high-level financial institutions. Security professionals have a hard time making the case to upper management for security “best practices” let alone more advanced technologies such as intrusion detection and prevention, etc. So most companies go by the axiom that a “locked door keeps an honest man honest”. These companies probably know that a dedicated individual, within or without, could walk off with valuable assets without too much trouble.
Finally, you are not picking on complainers, in my opinion. It all boils down to the user and his/her acceptance of the policy or solution. This topic was brought up on your blog by Andrew Baker.
Without user buy-in to whatever you are selling or implementing, it will fail or be resisted heavily. Folks in IT are usually poor sales/marketing people, which is why IT and the business should work together on designing their solutions to fit the needs of the users within the company. Of course this would be weighed against a cost/benefit analysis and risk. A heavy-handed approach by IT or upper management will almost always guarantee a spectacular waste of money and time with an eventual bare-minimum compliance.
The solution? This goes all the way back to the strategic plan of the organization in question. Security has to start from the top down and be integrated in whatever solution, not tacked on as an afterthought. Also it involves training as Mr. Baker mentioned. Training for both employees and a companies customers. Managing the expectations of both parties will help smooth the path for future adjustments.”
Of couse, security is but one component of the corporate IT environment. This is why the business and IT need to work hand-in-hand on a variety of issues. An adversarial relationship between IT and the business will cost a lot of time and money.