Security Is Not A Technology Problem: Why Companies Need To Be Looking At Organizational Issues Instead Of Products
By Daniel Miessler on March 8th, 2007: Tagged as Architecture | Business | Design | Philosophy | Security | Technology
As a consultant I constantly come across organizations that are more than willing to throw millions of dollars at their information security problems. Almost invariably this money is spent on technology: elaborate IDS/IPS deployments, expensive SEM solutions, etc. All this, but I seldom see any real security improvement as a result of adding high-end security products. Too often I return to customers months later to find the exact same problems.
Organizational > Technological
- Not Knowing What The Problem Is Many companies aren’t even aware they are being attacked. Whether internal or external, the majority of companies with massive security issues suffer from the head in the sand problem. And the solution isn’t, “you need a SIM”. The problem is the lack of a) motivated curiosity and b) talent. Technological solutions are next worthless for risk analysis, which is an essential piece of any security approach. You don’t start with a NAC implementation when your employees are pilliaging you from the inside using their own legitimate credentials. You have to start with an accurate view of the issues to be addressed.
- Knowing, But Not Being Allowed To Address The Problem This one makes me sad. Even if you have a good security team that knows what the issues are, more often than not there are major organizational obstacles to actually solving the problem. These are the very human issues such as political battles, turf wars, managers that don’t want to rock the boat, etc. These issues destroy the effectiveness of more security programs than the lack of any product or technology.
- Knowing You Have Issues, Having Authorization To Address Them, But Not Knowing How This one is also common, and is usually just a case of not having the right people in the security program. I’ve seen so many security groups where the people just somehow “ended up” in the security department. They don’t have any particular interest in security (or even IT at all) and their skills reflect this fact. The easy answer (and the one most companies go with) is to hire consultants and/or outsource the whole thing. Being a consultant this is great for me, but the better solution (in my view) is to clean house and get a real security team. That takes longer, and it’s more effort, but in my opinion it benefits the company far more in the long run.
- Knowledge Of What Needs To Be Done
- Empowerment To Make Necessary Changes
- Talent To Execute Properly
That’s why organizational issues need to be addressed with the highest priority — before adding additional expensive, superfluous technology. Sure, if you have to spend the money, go ahead and get the products, but focus on making sure you can actually use the stuff, otherwise it might as well stay in the box.:
--
I would agree. As a consultant I see the same things as a rule. But the one that is most detrimental and most common among our clients is the second mentioned issue of ‘internal politics’. The other two is a matter of the business being couched in how to know who to hire for what security positions, but the second is one the is normally fostered by the ones that say they want it gone. Those that play the politics for their own career safety and departmental success. Don’t get me wrong, there is a difference between being a good team player and understanding your co-workers and ‘politics’. But all and all, it is ‘politics’ that does not allow a company to address their risk posture.
Very true Daniel.
Comment by Rick — 3/8/2007 @ 9:59 am
The issue of the organization standing “in the way” is more often an issue of perception. Security folks (consultants, employees, etc) often assume that they’ve been tasked with the most critical task.
“Make things safe”.
That’s rarely the case. Most often, especially for consultants, you’ve been brought in to meet the requirement of “best effort” or “due diligence”. The goal for the company is to meet the invisible bar that determines if they’ve tried to secure their data or not. Their goal is to remain profitable, not to secure anything. If it costs too much or affects business too much, whatever you feel needs to happen simply isn’t going to happen.
It’s frustrating as hell, but 90% of the time, you’re there because they had to have you come, not because they wanted you to.
Comment by Dave — 3/9/2007 @ 1:27 pm
There is truth to this, but it’s a simple fact that when breaches happen, management do come to security teams and ask why they happened. It’s not as if there’s just a “wink wink” under the table because they met the threshhold of due dilligence. They do want to avoid embarrassment, among other things, so there are definitely real reasons why companies do expect tangible results from their security efforts.
So while I agree that no security team is going to get full control of a company because profitability is paramount, they are still being given quite a bit. The problem is that they are squandering what they are being given, and that’s what the focus was of the article?
Am I missing something else?
Comment by Daniel Miessler — 3/10/2007 @ 9:12 am
Management comes to the security team to ask what happened almost always only because they’ll be asked what happened. If they ask, and it becomes apparent that it was a persons direct fault, they have someone to fire/blame. If they ask and there’s no one to fire, they at least can answer the questions they’ll receive. If they’re asked and cant answer, they’ll be the ones fired. It’s mostly CYA, rarely FYI.
The only empowered security teams I’ve ever worked with were ones who worked for organizations that had suffered serious loss due to an incident. All the rest were there to go through the motions. If securing the network/product/servers was going to be more expensive than deemed profitable, they were generally nerfed.
It’s bullshit, but true. =(
I have heard of some orgs in the financial sector who operate on the idea that they only want to hear of their competitors incidents and never their own, but I’ve not met these people first hand. They’re usually spoken about in the same context as unicorns and dragons =(
Comment by Dave — 3/10/2007 @ 2:36 pm
Hmm, I don’t know, Dave. I think there are quite a few companies out there that haven’t been breached that still want to be as secure as possible. Remember that they are protecting their reputation, and they know that it doesn’t take much to get it smeared when it comes to a security incident.
I think there’s quite a bit of wiggle room between not caring and being deathly afraid, and this is where the change in focus to organizational issues can reap rewards.
Comment by Daniel Miessler — 3/13/2007 @ 11:01 am
Hi Daniel,
All of your comments are excellent, based on status quo technologies. SInce any security technology is really a band-aid fix attempting to compensate for inherent system flaws, which you have written about, they are ALL SNAKE OIL and a waste of money. Only a technology that addresses inherent design flaws in operating systems and drastically reduces the risk model should even be considered.
Comment by Rob Lewis — 3/15/2007 @ 4:35 pm