When it comes to running an information security programme, barriers to success are predictable. Many are obvious, such as a lack of budget and minimal buy-in, but others are not so clear and it’s often the small things that add up to create real security hurdles, writes Gemma Moore, Director of the consultancy Cyberis, a company of the NCSC IT Health Check Service.
Many of us have experienced individuals inside an organisation with specific agendas preventing security initiatives being pushed through or users accustomed to the culture of ‘management says security is IT’s problem, so it’s not mine to worry about’. Furthermore, vendors can overpromise and underdeliver, while IT staff can find themselves snowed under with trivial but urgent tasks.
All of these get in the way of achieving the desired results in an organisations’ security strategy and negative outcomes can sneak up quickly. Whilst setbacks are inevitable, culture and the way in which information security is handled and communicated internally can be the difference between the successful protection of your assets and data, and a damaging security incident.
It’s damaging for a business to think of information security as a hurdle. When you perceive security as a blocker or a barrier, it is natural that you will find ways around those barriers to get things done. When security is a blocker and makes things difficult, people seek to bypass controls that are there to protect them and the data being handled. That is why it is so important to align information security goals with business needs.
There is always a balance to be struck between risk and opportunity and it’s important to understand as a business what types of risk you are willing and able to tolerate, but also what that means in terms of opportunities sought. There is no such thing as being 100% risk free. Any business that locked itself and its employees down to that level would simply be unable to achieve anything.
Aligning your approach to information security means understanding not just what you want to achieve, but how much risk you are willing to tolerate to get there.
Alignment involves creating the right mindset and a culture within a business, educating employees and getting information security teams to market and sell themselves effectively to internal customers.
In the most successful internal relationships, employees don’t go to the information security department and ask, “Can I do X?”. Instead, they say, “I am going to do X, so how can I do it securely?” Information security has to help the rest of the business solve its security problems, not stop them working. Changing the image of the information security team from “the team who say no” to “the team who are there to support us” can be difficult, but it’s worth doing.
It is tempting to believe that it’s always a question of the more freedom you give employees to innovate, the less secure you will become; but that’s not necessarily true. It is something that I often hear in relation to very agile environments in fast-paced innovative industries. People will resist the implementation of security because they perceive it as something that will slow down development, stifle releases and generally cause a lot of bother. On the other hand, there are hugely innovative fast-paced companies that have built security into their DevOps pipeline, embraced automation, integrated security testing and code audit at multiple stages and made it really easy for developers to roll out new products rapidly, securely, seamlessly and – most importantly – painlessly for staff.
Sometimes, in the information security industry, we can find ourselves adopting a bit of a world-weary, user-blame attitude. Given what we see on a regular basis, it’s understandable we get a bit cynical, but it’s not helpful to blame users for things that go wrong, or to expect users never to do the wrong thing. ‘They should have known better than to open that document or use that password’, helps nobody. I’m good at information security and it’s what I focus my attention on – but I don’t expect users to have the same attitude or the same interest in security that I do.
We can’t expect information security to be on the awareness-radar of every user all the time. We have to bake information security into business processes and controls so that it is a default and users don’t have to think about it.
Usability and acceptance of controls is hugely important in security. When you are introducing a new control or new way of working, you need to make sure it’s easy for people to adhere to. Password policy is a clear example of where adding security can go wrong when we make it difficult. For decades, passwords have been used to authenticate people and we all know this has serious limitations.
Initially, people looked for something that was easy to remember, obviously. Many used ‘password’ or ‘welcome’ or their pet’s name. The security industry spent years educating people about using stronger ones, we suggested using long passwords with lots of different character sets not based on dictionary words. Those types of password are hard to remember, so people chose a single password that they did remember and used it for everything. Then we had the problem of these passwords becoming compromised due to insecure storage, so compromise on one system would lead to compromise on another.
The security industry then told people they needed to use long, complex, hard-to-remember passwords and that they couldn’t share them between different systems. Yes, we have password safes and other ways of managing large numbers of different credentials and the advice given on passwords has evolved over the years, but fundamentally, it was telling people to do something that was quite clearly impractical and unreasonable. We shouldn’t be surprised to find that even today, when choosing passwords as an authentication factor, a significant subset of people will still have poor quality or compromised passwords. This is an inevitable consequence of the decision we make to use passwords in the first place and set up seemingly simple barriers that have major implications.
See also the Cyberis blog.
