In the past couple of articles we have considered why security is important and what are the threats faced, both internal and external. Most, if not all organisations will be doing something about IT security, so it isn’t going to be awfully useful to launch into a treatise on how everybody should be implementing IT security. It is perhaps worth revisiting some of the key elements of ‘security done right’, however, so we can consider what’s getting in the way.
At the heart of all good security practice lies risk management, a discipline shared with such areas as business continuity planning and Health and Safety practice. Done right, risk management considers business risks first and foremost – indeed it would be fair to say that business risks are the only ones that matter (or to put it another way, if your organisation is unlikely to suffer as a result of a given threat, it’s not really going to be worth dealing with).
It’s important to note of course that risks can be both technical and non-technical. Of course we have the ongoing dangers of theft or other malicious intent, which need to be protected through physical, technical and policy means. However many other risks may exist in the course of normal, day-to-day operations. Consider mobile phones for example, or instant messaging, home working or managing subcontractors. Each of these has a technical aspect – a phone could contain confidential contact lists for example, or home working could result in un-vetted individuals (i.e. the kids) running unauthorised software. But even in these cases it is important to consider any risks from a business perspective – what would be the impact of losing such a contact list, or of a child playing games?
Risk, then, needs to cover all areas, not just the more obvious ones. From this, eminently sensible starting point it is worth bringing up the topic of security standards, or in particular ISO 27001 (BS7799). Essentially, what the standard expresses is that to do security right, you first need a security management system that defines how security is to be done in your organisation; then, you need to actually do what it is you said you would do, one element of which is to re-assess the risks and review the measures in place on a regular basis.
It is hard to imagine how security best practice could be expressed more pragmatically or practically than the one-two-three of identifying the risks, deciding what to do about them and then doing it. We do know however that many organisations are operating security in a sub-optimal manner. There is even evidence that organisations are actively avoiding working through these things, for fear of what they might find. This is the equivalent of driving down a busy road with a blindfold on, for fear of what one might see.
In a more proactive world, in which the business risks are well understood, IT security measures can then go some way towards mitigating them. We spell this out in such terms because as we have already mentioned, IT security is about all of people, process and technology. It is here however that we hit the second challenge – that of applying solutions to securing the organisation, which take into account threats to the business coming from both outside and inside the organisation.
In principle, IT security measures ‘should’ be considered, designed and implemented in a holistic manner. From a technical perspective as well, security ‘should’ be considered across the architecture – the term ‘defence in depth’ is used to describe how the IT environment can be considered as a series of nested zones, each of which can be secured according to its own needs and with its own boundaries.
In practice however, while many organisations may indeed take their security responsibilities seriously, few achieve a level of security that could be called optimal. There are many reasons for this, the main one of which is that, bluntly, security is extremely hard to get right. It is a fine aspiration indeed to define and deploy a hardened security environment – but many (if not all) security measures can also have a detrimental effect on the business itself – indeed, too much security can be a business risk.
It is perhaps unsurprising then, that the security measures in place tend towards those which are easier to define and deploy. We can see evidence for this in the chart below, which shows what security products organisations have already implemented, or are planning on implementing.
As can be seen from the chart, there are essentially three ‘bands’ of security measures. The top band we could refer to as point products – antivirus, VPN and the like, which are already implemented by the majority of organisations. Languishing at the bottom are those security technologies we could consider as ‘architectural’ – for example, security event management and behavioural analysis technologies.
So, what’s the answer – are the majority of organisations destined to have willing hearts but weak bodies when it comes to implementing IT security? The answer is probably yes – unless either legislation or accepted corporate behaviour take a leap forward.
Ultimately however it is the risks, and how well they are mitigated, that should define whether or not an organisation has got things right. To take a specific example, an organisation may or may not have implemented an intrusion detection system (IDS). Far more important however is the knowledge of what information should be considered as confidential and to whom, and whether it is adequately protected against all the risks it may face.
In security, then, risk management offers both a start and end point. It is perhaps ironic that kicking off a risk management exercise, or a re-assessment of the risk register, need not be an onerous task – particularly if the 80:20 rule is applied appropriately. Indeed, not doing this is perhaps the biggest risk of all.