The Audience
If you’re an Information Security professional, this article is aimed at your superiors: the middle management, the upper management and executive officers in your organization. They (and your users) are the largest obstacles to overcome in developing and deploying an effective security strategy. You must be able to convince them that not only are they justified in spending the money on such measures, but that said expenditures are also an investment in the long-term health of the company. Although your job is highly technical in nature, it also includes the human element of accurately conveying the return on investment of a sound security strategy to nontechnical personnel.
Lead By Example
The development and implementation of an effective security strategy starts with you: Whether you are the IT Director, CTO/CIO or other executive officer, ultimately the persons responsible for implementing these strategies look to you for guidance. If you espouse sound security principles, so will your employees! If you cut corners and shrug off risks, your employees will follow suit.
You may feel inconvenienced by the security measures proposed by your IT Department, however it’s important to remember that the measures they recommend are for the greater good of the company. Be ready and willing to adopt the same security measures at the executive level as you implement at the employee level: if your subordinates see that you take measures to ensure the safety and security of the company computer systems, they will be more willing to comply. If you choose to make yourself immune to those measures and cut corners, it sends the message that you don’t care: so why should they?
Emphasize the importance of security and vigilance to the persons in your area of responsibility and they will do the same! The attitude of your organization’s corporate culture towards security will play a large part in ultimately determining how effective your security strategy is.
Risk: Existential or Quantifiable?
For most corporations and private individuals, the probability that their organization will experience a catastrophic theft of trade secrets or customer data seems remote. You may read about such incidents in the news, or hear about them in passing. It may seem unlikely that your company could become the victim of such an incident. Unfortunately, this is not the case. Every area in which your corporation integrates computers into its workflow presents an opportunity for attackers to do damage. Each and every internet-connected application, externally-accessible server or disgruntled employee presents a unique set of threats to your organization, yet the totality of those risks is difficult to quantify. How do you assign a dollar value to the various ways in which your corporation’s intellectual property or the privacy and integrity of your customer’s data might be violated?
You can quickly figure out how much your business stands to lose in each situation by asking and attempting to answer for yourself the following basic questions:
- What data (personally-identifying or otherwise) do we store about our customers?
- What are the potential ramifications of that data being stolen or made public?
- What would be the consequences of our proprietary methods or trade secrets being made public?
- How much business would we lose from a 48-hour period of total network downtime?
- If I were a disgruntled employee, could I steal or destroy data?
By now, you should be forming a clearer picture of the financial and legal risks to your organization. Can your business afford to cease operation for 48 hours? How would your customers be affected if your organization’s main database suffered a catastrophic failure on a Monday morning? The answers to these questions (and others) will help you and your IT Department begin to develop effective strategies to mitigate outside threats and minimize potential damages from these risks.
A Delicate Balance
It is often difficult to strike the right balance between security and ease-of-access for employees. If passwords are too short and lack complexity, it raises the possibility of attackers simply guessing the right password. If passwords are too long and complex, employees may resort to writing them down on sticky-notes under their keyboards – another can of worms entirely! Alternative solutions such as two-factor authentication using “smart cards” provide great security with little user-interaction, yet these solutions carry a non-insignificant price tag. For every problem, there is a solution…provided you’re willing to spend the money.
Depending on the size of your organization and the limitations of your budget, it may be not technically feasible, or operationally practical to implement some measures. For example, a small business may not be in need of a backup generator since it does not possess a large enough data-center – a simple battery backup may suffice. The same concept applies to how secure your network and systems are against attack: some software or hardware solutions may be out of your budget, or simply overkill. Ask your IT Department to present several different solutions for each situation, and weigh the benefits and risks of each. How many corners are you willing to cut? In the long run, is it worth it to skip buying that battery backup if the end result is catastrophic downtime due to a momentary power brown-out?
Remember to think of the long-term and worst-case-scenario consequences for each situation.
The Weakest Link
Any security strategy is only as thorough and effective as the persons who propose and implement it. Skilled personnel are worth paying high salaries, and incompetent individuals run the risk of destroying your organization from the inside. Similarly, happy employees rarely present a threat, yet disgruntled employees may be willing to harm an organization through digital or physical malfeasance.
Take the time to vet the effectiveness of each aspect of your security policy. This may entail conducting background checks of employees who have access to customer data, requiring your IT professionals to hold or obtain applicable certifications, or perhaps hiring a “red team”: an outside group of security professionals who will attempt to breach your defenses and recommend remedies in lax areas. Each of these points represents an additional expense to your organization, yet the benefits greatly outweigh the risks. Would you prefer to have your security audited by a firm of your choosing or the court of public opinion after a breach?
Approach the effectiveness of your organization’s security measures with the same enthusiasm as you do its profitability: in the age of information, these two concepts are directly linked. A single catastrophic breach of customer data or theft of trade secrets may end the life of a smaller corporation, and cause serious financial duress to larger publicly held entities. Consider the strategic importance of spending a few thousand dollars now to offset to the loss of millions in the future: the return on investment for effective security equals no less than the integrity of your trade secrets, sometimes to the total dollar value of your business (not to mention the favor of your investors and customers)!
Due Diligence
Hollywood almost always gets everything wrong about technology, especially when it comes to computer systems and “hacking”. Despite the technical inaccuracies of these portrayals, one recurring theme is startlingly accurate:
Nothing is “unhackable”.
The state-sponsored malware known as “Stuxnet” infected computer systems on networks in nuclear facilities which were physically separated from the internet: the attackers simply figured out how to get past this “air-gap”: they designed the malware to infect USB drives, and eventually the malicious program found its way in as users plugged infected drives into “secure” systems. To that end, you may ask yourself “Why should we even bother? What’s the point of spending thousands of dollars on security if someone will just break in anyway?”
Two words you will eventually hear uttered in a court of law if you do not: due diligence. This is the concept that you took every applicable, practical measure to minimize these risks. If your customer’s data is breached and a lawsuit reveals that you cut security measures to save a few dollars here and there, the resulting victim compensation and negative publicity will cost far more than hiring third-party security auditors or talented personnel.
Your organization already takes steps to minimize risk in other areas: your buildings contain smoke detectors, fire extinguishers, fire doors and clearly marked fire-lanes for emergency vehicles. You ensure regulatory compliance with applicable governing bodies, sound legality in contractual wording and consistency of financial records to ensure smooth operation of your business. A sound information security policy requires just as much proactive effort, and is just as important to the long-term health of your organization.
Ultimately, these decisions start and end with you; set an example for others to follow, not to avoid. Lead the way to a business model that embraces security as an integral part of your business philosophy and your customers will thank you for it!