Cybersecurity is slowing down my business, say majority of chief execs Chief execs polled in a major survey have little time for their cybersecurity folk and believe complying with security regulations hampers business. Some 71 per cent of 1,000 top bosses surveyed by Cisco feel that efforts to shore up IT defences slows the pace of commerce. The study is due to be published next month. Big …
Big cheeses cheesed off with security staff getting in the way of profit may well rid themselves of their troublesome priests
This is the problem, isn't it?
If it is perceived to be more cost effective to skimp on security, and pay the occasional fine for lost customer data as a result, then that's what a company will go for, everytime.
The only solution is to make the consequences of not having security too expensive to contemplate.
Seems like the incentives are wrong. Whilst lapses are probably inevitable in the face of well-organised and funded hackers, how about a system with a geometrical ratchet - you automatically pay double the previous fine each time - to inventiveness against multiple lapses.
Until there are specific cost figures associated with risks in the security world the bean-counters will always treat it as an 'unknown' value.
You can argue until you are blue in the face that losing your customer database, or having your bank website hacked (not just ddos'd) will have an enormous negative impact on revenues, if the cost of implementing the security is known and the cost of not implementing it isn't known, then guess which one wins.
This is what regulation is for. To try force people to do the right thing when they are too penny-pinching and narrow-minded to work it out for themselves.
A prime example of this is the energy industry. The costs of having our power grids taken off line for 24 hours or more is unthinkable (in more ways than I can count) - so there are strict regulations.
However, regulations do not keep pace with the changing threat scenarios. There are so many attack vectors now that you absolutely need a holistic approach to security - and that means the security guru's need to get their hands dirty at layer7 a lot more. We need to understand what the data is that is being protected by the firewalls/ips/ids/proxies etc. - because if we don't we can miss an obvious (in retrospect) vector.
I have seen situations where there is a will to do the right thing (i.e. pay the big bucks for the holistic approach) but because this type of environment needs more than just your 9-5 engineer looking at firewall implementation etc. (think analytics/incident response, application support on top of all the usual security/network stuff) that to do it properly costs money - because the people who can do all that stuff don't come cheap - and it's not something that is easily out-sourced. Regardless of all the good intentions though, solutions keep getting pared down to the point where all those fancy tools will work ok for 6 months - but beyond that they will get out of shape and end up as shelf-ware (or as a costly re-vamp).
It will all end in tears I tells ya!
As someone currently holding a CISO title, I have huge sympathy with the CEOs in this report. But the thing is, for most companies their security problems are something they have built for themselves in terms of internal systems architecture, politics and processes. They arent objecting to the requirement or desired outcomes, just the method of delivery.
A more fundamental issue which is that you cant "do" security - it may seem trivial but security as a word is an adjective not a verb. You can be secure, you can feel secure but you cant do secure it just doesn't make sense. Also from a branding perspective, security isn't a very engaging word; assurance, trust or resilience are much better topics to discuss with someone.
People holding any form of security title should really be concerned with one or more of the following; identifying risk, defining good practice, measuring actual practice against standards and finally breech monitoring and incident management.
The risk management piece is the central one from a senior stakeholder perspective. A lot of the friction comes down to the fact that most security professionals instinctively have a low risk appetite while most CEOs have a moderate to high appetite; but also a lot of security people simply dont understand the risks inherent in other areas of the business which is what a CEO will compare a security risk against. A good security person can explain the risk without over playing it and allow reasonable decisions to be made, an excellent security person will find ways to move security forward.
Firewall and similar roles admins are to my mind an element of infrastructure and the career path for people in that space will be dictated by infrastructure and network management trends.
The problem with both executive and security staff, speaking as a 15 year veteran in security tech and governance, is that there is a significant problem with staff holding on to their legacy knowledge without dedicating themselves to the new realities of how technology is employed. I am not expecting executive staff to be a versed technically, but a bit less rigid would help them and the companies they represent.
It's like the adage of throwing the baby out with the bathwater. Is it a good idea to part with a security professional whose strengths resides in the security of legacy technology and has less current exposure to the modern uses of various technology? What I often see is that the viewpoint (or views) *(speaking architecturally) are often constraints in people limiting them to be creative in the security function they fulfill.
IT security requires a broad set of skills and a mindset that is equally broad. In the places that I worked, there were better security staff outside the formal established security department that had the skills to be better at technical security and governance with little refinements.
Furthermore, there's been plenty of regulations (industry or government imposed) that have become overwhelming similar and over the same time become dated to the point where they are not either relevant or have kept pace with the industry.
The descriptions I have provided of staff and regulations have stalled the creative thinking in many departments. It has also suck out the inspiration of many good and potentially great security professionals from continuing in the best interests of the IT community against the threats present.
Kowalsky out.
> security staff getting in the way
A not unreasonable attitude - and one that is prominent (dominant?) in the real world, with users, too.
The problem with "security" is that it's not built-in. If it was, it would be transparent and nobody would be able to point to a thing, server, person or process and say "that dam' security [ whatever ] is slowing down our business". The security elements of a business should be ubiquitous, rather than discrete. There shouldn't even be a security component, just like there isn't a literacy department (unless you count Q.A) or someone who's job is ensure the staff aren't walking around naked.
As with real people in the real world, if security gets in between them (us?) and what we are trying to do, it's a failure. And therefore it will be no surprise that people will ignore, disable or subvert all the bad security implementations that are seen as annoying complications to their lives. The level of engagement that users or businesses should have with IT "security" needs to be down at the putting on your seatbelt level - and even then you still get idiots who think that is too much trouble. Anything more complicated for users is just bad design and poor implementation.
This post has been deleted by its author
Kind of.
We're trying to change a culture here.
At first, IT was a strange thing in big offices with big expensive kit that worked miracles.
Then, it came down to the desktop, and allowed anyone to perform smaller miracles.
Next, we connected those desktops and gave everyone the benefits of sharing files, emails and so forth.
Recently, we interconnected all the separate business networks via the internet, which was a huge boon but also a security bane.
Security shouldn't be invisible, it should be normal. It should be part of every project, of every procedure, of every technology. But as IT became so ubiquitous that it entered everyone's personal lives as PCs, MP3 players and smart phones IT also became something that people regarded as a commodity - something that "can't be expensive" and "can't be difficult".
Here in IT, we're kind of young. This is a cultural challenge we've never faced before. So let's look at another industry where they have a similar issue - the construction industry. There, safe working should be part of every worksite. Every access point, every construction phase, every job, every bit of equipment - they should all have the safety of the workers in mind. Workers may well be available, but they should not be regarded by the construction companies as a commodity - they require protection.
So every building site has a big sign at the worker's entrance, declaring "no hat and boots, no job".
Health and Safety is still visible, and in a big way.
But it's also just normal. That's the way it is in the construction industry.
Why? Because the law states that if a Health and Safety breach occurs, people can go to jail. It's not just fines. It's potentially their liberty. In the 1970's we got tired of workers being treated as a commodity, and dealt with it accordingly.
You want the attention of these idiot CxOs? Easy. If they get compromised and they can't show that they took security issues seriously, then as well as the company being fined they get the joy of going to court to defend themselves from jail time.
Just like health and safety issues, we probably won't get any traction until we focus the minds of our "best and brightest" CxOs. After a few have gone to prison, companies will take this seriously and then it won't be invisible, but it will become normal - which is what we actually want.
But until then, good security will just be a cost to be shaved as thin as possible.
It just gets in the way and it doesn't add any benefit. Seriously, what use is it spending money on something that doesn't make our website look flashier or let customers get through the checkout quicker?
And the builders of the Titanic thought why do you need enough lifeboats for everybody? You're never going to use them anyway, we only need as many as the regulations say we must have. They just take up space and look ugly. That's not going to get more passengers travelling with us is it?
And Challenger doesn't need O-rings that don't turn brittle in freezing temperatures. It's not like we're going to use the shuttle to launch all payloads including ones that would be perfectly fine on an expendable unmanned rocket, it's not like Florida ever gets all that cold, and who'd be dumb enough to launch in freezing conditions anyway?
Oh, wait.
Why must we keep repeating the same mistakes over and over?
As I recall, the issue wasn't so much that the rings got stiff (not brittle) in cold temperatures. It was that middle management chose to ignore the recommendation of their tech people because they (he? IIRC it actually came down to just one dipshit close to the bottom of the information feed) didn't want the President to miss his photo op.
Maybe a lot of security guys are certified but shite. A lot of good guys are uncertified because they're too busy doing the job.
Security is effectively insurance which is always a hard sell. You're asking a business to pay for things and carry out functions which cost money and time yet if they are effective nothing happens.
But it also the responsibility of the senior managers to act responsibly with the security of their data and systems. Security should be baked in from the start where it has much less impact on cost. If they chose not to then they will reap what they've sowed (talktalk et al).
Security guys also tend to be a paranoid lot so if they have recommended actions which managers have ignored they will be able to preduce the evidence should the manager seek to find a blamehound when it goes wrong.
Maybe it should be, but it isn't. Because most of the time the safest course of action for the security guy is to say no. I also see way too many box checkers in the business: "This checklist says we need to implement this policy" even though the subsystem the policy was written to address has been altered radically and that control is no longer relevant to the way the new subsystem functions.
And this is the "change" that the author is speaking about...we can no longer be effective security leaders and executors if we dont become change oriented and offer business aligned solutions. And the business needs to listen as well. I've never felt compliance or checklists equal a secure environment, but the business has.
Security is effectively insurance which is always a hard sell. You're asking a business to pay for things and carry out functions which cost money and time yet if they are effective nothing happens.
This should remind us of the Y2K "problem". After it was over, how many CEO's bemoaned that fact that "nothing happened so why did we spend all that money?".
There's a mindset here that can't believe that "nothing is happening" is a good thing and worth spending some cash.
Yes, if can pull up your proof and get it front of someone who will actually listen before they frogmarch you out of the building claiming you failed to do your job. Believe me, the COO isn't going to take the blame even though you begged for budget to install and maintain critical security systems, backed by industry case studies, trends and experts.
Do I sound bitter? Do I have a reason?
I'll give you one guess.
I don't think the issue here is actually managers seeing that security is a barrier, it's security people creating barriers to business instead of realizing the security needs to follow the company line and enable.
There is a lot of resistance when you tell someone they cant do something because of any-reason-at-all, and continually shouting about it isn't going to help anyone, if you prevent the business from doing it's job for any reason your doing it wrong, as I was once told in a previous role "There is no point being the most secure company in administration" - that doesn't mean you should reduce your security, you should ensure that the security in place allows the company to function.
I got us through PCI level 4 for £1k a year while we were a startup (being a open source nerd rocks) and we are now solidly audited by a QSA each year, even though we don't need to by volume of credit card transactions (we are still at self-certification level but choose to pay a QSA to audit us) it was an easy sell to management, the marketing punch of being able to quote we are audited secure and by slapping, for example, our auditors logo and the Symantec 'Secure Site' logo on our website I proved there was a visible increase in our stats of customer trust and conversion through the site, this is what the other senior guys listen to, and even the marketing department now tows the security line.
The other issue out there is the security industry itself, the amount of bullshit FUD that they pump out discredits the entire industry, they can't show quantifiable metrics to show how their products can help business and are far more interested in telling people that "99% of all business in the Universe at some point have The Haxors sitting in their office Haxoring their Internets" - that's not helping us internal security guys any when it comes to promoting security, what they should be doing is showing how their low-impact security solution can help us in a discrete quantifiable way without hitting our bottom line like a freight train.
Which, of course, is impossible as *cough*some*cough* of them are just bulky overlays on top of nmap and Nessus which they throw a 20k tag on top of. True story, we used to subscribe to a certain security product which cost us thousands of pounds per month to do IDS and log management.
It emailed our passwords to us in plain text.
True, freaking, story.
Apologies for the ranty and un-checked style of post, sore subject :)
"I don't think the issue here is actually managers seeing that security is a barrier, it's security people creating barriers to business instead of realizing the security needs to follow the company line and enable."
One way of looking at security is that it's the ratio between the difficulty between someone trying to do something nasty and the difficulty of someone trying to do their job. There's no point in making the first impossible if you also make the second impossible.
I was hauled into a meeting the board around 5 years ago as a "spear-carrier" for my boss. The board was taking a "hard look" as they called it, at all of IT and were holding meetings with small groups of managers.
Anyway, the IT Security head was asked "how many hackers were stopped? If we're not being compromised, why do we even need you?" He looked back that board member, and made a statement that they should get the head of Physical Security up here because he should be asked "How many people who had guns were prevented from getting to the exec suites and the board room." and that "If the answer is none, his department should be disbanded also.". The look on the board members' faces was priceless.
As a footnote, that head of security is now CIO.
It seems everyone has a different perception of what security IS as well which doesn't help.
For example configuring mobile phones as mentioned in the article? Every team I've worked in, with, or over has always had that assigned to Ops/Desktop/Whatever. You use your MDM of choice, someone designs the policy, it gets checked and signed off by each team (Ops/Inf/Sec/NOC) purely out of completeness - I've always found that just because something shouldn't fall in someones area, it's worth getting an eye cast over it as people often know things outside their speciailisation. Then once that's done, it's just a BAU job. Phone comes in, MDM Agent installed, configuration done.
Same with Firewalls, it's a bit more of an contentious issue but I've always put that with NOC. Security should be policies, processes, integrating with the stakeholders, and research. I've always treated it as more of an advisory role. They should be keeping abreast of things, researching things, and the only time they are directly involved with the day to day is either for Problem Management teams or Incident response.
The kind of people I like to have for security are generally the kind of people I like to have focused on things that other people can't do, as they're expensive!
selling improves the bottom line.
delivering what was sold hits the bottom line
delivering what was sold to the correct customer hits it even further.
delivering what was sold to the correct customer and not spaffing all their details onto the internet for all to see hits it even further.
etc
etc
So you (as CEO/Chairman/BOD etc) decide how far down the ladder you want to go. That may or may not be adequate for the regaulatory requirements of your industry.
If it isn't then we are into the 'what they don't know about is goodness for our profits' territory.
This management malarkey is pretty simple eh? There must be a reason why I'm a techie and not a boss.(Don't answer that...)
If IT security is dragging down businesses (it is) then they ought to invest in a fresh start. Operating systems, programming languages, internet protocols - they're all hopeless. R&D in those areas had been neglected for decades, as the typical business attitude has been "make do with whatever's easiest, and rush it out the door". Now we're burning so much time on kludges and compatibility layers and knee-jerk security measures, we could have rebuilt everything from the ground up many times over.
"And Cisco reckons plenty of security bods will be in another job in five years"
Not this one, no siree! I shall be retired in five years if I have anything to do with it (the Equitable Life pension fund disaster notwithdstanding).
As for 'selling' the idea of security, I've found the following to be reasonably effective:
Your staff are paid to perform work for your organisation. Appropriate security protects their work from being lost to your organisation, corrupted or stolen by competitors. And if your staff's work is not worth protecting, why are they being paid to do it?
And no, security should not be invisible or 'transparent'. We may live in 'the global village' but we still lock our doors when we go out, or go to bed. We want police officers on the beat to provide visible security.
For IT security it is really worth knowing which malware your firewalls are trapping - if you don't check then maybe they aren't actually trapping anything.
The real problem with senior management on security is their policy of "fix on fail". They will only fix something that is wrong if it has failed, either for them or for someone else. Try getting a new preventive measure through that costs money before any actual exploit has happened (and no, I don't mean patches for newly discovered vulnerabilities in software, there have been lots of reports of zero Day attacks for management to hear about to motivate them).
Most domestic burglar alarms are sold to people after the break-in.
And with the Cloud, and virtualised security features: we've got two firewalls and a DMZ with the MTA and web hosts in it. OK so it is all running on one box with one comms cable and VPNs providing separation, but virtualisation is so much cheaper and more easily scalable, so that's alright then, security saving money, innit?
<and B R E A T H E >
'Chief execs .. believe complying with security regulations hampers business .. feel that efforts to shore up IT defences slows the pace of commerce.'
Complying with security regulations mainly consists of filling in some forms and posting them off to the government, has nothing to do with actually shoring up IT defences.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
