Yesterday I was at a community event in Canberra, well, actually, it was in the middle of nowhere in New South Wales, but that's beside the point. One of the issues that came up there was how to sell security to senior management. Having struggled with this for a while I listened attentively as Peter Watson, Microsoft's Chief Security Advisor for Australia, explained his way of doing it. He uses the argument that security is what enables you to receive business value from the other IT investments you make.
Far be it from me to disagree with Peter, but it struck me that this argument could probably be taken a bit further. Isn't security really about building confidence in your IT? Obviously, security for the sake of security is something only those of us who work on security for a living could love. But what value does it provide to the rest of the world? I think it may be in the confidence it gives us in our infrastructure.
One way to think about it is with an analogy. Have you ever had a really bad car? One that could not be reliably trusted to actually get you to the destination you seeked, and certainly not back? Were you really looking forward to get into it? Of course not. You tried to avoid it at all costs. If you replaced it with a new car you finally got your confidence back and started making trips again.
IT is like that car, and security is the enabler that gives us confidence in it. Ideally you do not want to have to think about it, or have to notice that it is there, or worry about whether it is or not. You still have to have whatever it is that makes the car run reliably though. If you look at the four "pillars" of Microsoft's trustworthy computing initiative a recognition of this seems to actually be there, although obscurely stated: the real objective is to have reliable systems where our information stays private. Security is what enables that to happen. It is what we do to gain confidence in the reliability of our systems. It is what allows us to trust that those systems will be there, will function, and will do what we need them to do. Ideally, security would not get in the way in the process, and that gets us to the fundamental tradeoff I have talked about so often.
Do you agree? Having had the luxury to do security for the sake of security for so many years I am struggling a bit with how to sell it to people whose job it is to run our systems. If you have a great way to do that I'd like to hear about it.
My personal experience has been that it is surprisingly easier to sell security to my superiors than to my fellow IT professionals. Perhaps this is because the higher-ups are already indoctrinated with the threats of non-compliance with regulations such as HIPAA and Sarbanes-Oxley.
Unfortunately, the best I have been able to do with my colleagues is to resort to scare tactics. "What-if" scenarios that end with a system being compromised or sensitive information being disclosed can be effective, but only in limited doses.
However, I have had some limited success in lending out my copy of "Protect Your Windows Network."
Just to be a pedant we in Canberra dont see ourselves as in the middle of New South Wales - we are in our own small Territory called the Australian Capital Territory ;)
the ACT was created because NSW and Victoria couldnt agree who would be the capital of Australia - so they created a seperate Territory. Back in the 1900's there was a fear of naval bombardment so they placed the capital away from the coast - which is of course redundant now as we have missiles!
see you at the AusCERT conference
I think the problem that I see is that many of the security folks come in with something I'm going to call their "Absolute" hat on. We don't need "best practices" ..you've said it before we need good enough. We need someone who understands how the business works, how the data flows, how the software meshes into the fabric of the work environment and come up with a solution that is a balance between just enough paranoia ...and just enough business reality.
Perhaps if more of the IT folks and management were brought into the security discussions sooner rather than later, that might help to get the communication going between management and IT? I see this too often in my Sister's firm (Government entity) that the people who choose the software do not engage the folks above them or below them. And tend to rely too much on the demonstrations from the vendors and what not. Then, how many millions of dollars into the project, the realities set in. They are not bringing the right people to the table for the decision making until it's too late.
As the classic photo that Mr. Riley uses in this social engineering presentation where folks will 'go around' the thing that keeps them from keeping their job done, we need to remember the balance.
At the same time we do little or no basic security training AT ALL even at home so that this 'awareness' can start seeping into our daily lives. My Dad just got on highspeed and the 2Wire DSL modem didn't warn me that I just stuck a sucky password in the modem 'cause Dad doesn't want a proper one, doesn't warn you about some of the risks of those peer to peer gaming ports that you can easily click in the GUI and enable, didn't talk about the security of the Wireless setting in the modem (WEP). My Dad just got, finally on the Internet Super Highway and where's the Driver's License? Where' s the manual on seat belts and their usage? Where's the guidelines for operating that DSL line like I get when I buy a car?
We have it with those cars up there? I get an operators manual and I must be licensed to drive the car. I have to insure it and carry my license and proof of insurance with me.
Someone once said (was it you? I think?) that we spend more money securing our automobiles in the parking lot of our buildings than we do our data. We lock them. We put alarms. We have security guards and closed circuit cameras. We insure them for theft.
...remind me what we do again for our computers? We say we can't afford security? And yet how much do our Fortune 500 C'level folks make per year?
I think it comes back to the golden rule. Okay Mr. C-level guy a the top of your firm...you tell me...your personal, valuable data is in that "fill in the blank". How much are you willing to pay to protect your own personal data? Your family's data? To ensure that your children's future financial history is not tainted?
Protect unto others...what you would demand a firm do to protect your own personal data.