“Toilet take up too much space on plane. If it is an hour flight, two hours to Rome… to Paris…you can hold it in!” – Omar Baba, (“Come Fly With Me” episode 1).
In a recent discussion with a large organisation’s security team, they announced that the company had implemented a new approach to launching security technologies. In a nutshell, the message was, “there’s been a shift to buy solutions based on business requirements - ie, the business needs to know that it needs a solution. The entire security team is there to serve the business.”
I don’t know about you, but I’m at a loss to know how the business would even realise it needed a security solution! I thought the idea of organisations hiring IT security specialists was to help them advise the business of information security risks to ensure the operational practices, critical assets and integrity of the business was protected.
Quite how the business is able to assess unmanaged and unquantified security and operational risks on its own is completely beyond me. Here’s a real-world example of the dangers of this approach. A friend returning a few weeks ago from a vacation in South Africa arrived three hours late because heavy winds at the original destination meant they couldn’t land safely.
Apparently, the majority of business-class passengers on the re-routed flight were complaining that they would be late or miss meetings as a result. After all, it was the pilot’s job to get them there on time. Fortunately the pilot was not influenced by “business requirements”.
A recent survey conducted by Venafi revealed that organisations are deploying increasing numbers of digital certificates and encryption technologies, but that these security assets are also becoming lost, stolen and unaccounted for in epidemic proportions. More than half of those surveyed stated that, “they had experienced either stolen or unaccounted-for encryption keys, or they were uncertain if their organisations had lost, stolen or unaccounted-for encryption keys in general”. In fact, they didn’t know what was going on inside their own infrastructure.
Taking this a step further, there are a number of critical areas where the “business” really has very little understanding of what actually happens. For example, it is unlikely that business owners will have the understanding of the security risks that might be involved in security operations and encryption key management best practices. This includes things such as separation of duties, least privilege access, and the necessary processes and access controls.
Although the business is likely to have requirements such as preventing application and service outages, it is unlikely that they will have any concept of what that means in practice and how to achieve it. For example, how would the business propose the IT department address the challenge of ensuring that digital certificates do not expire? Or what would the business propose as the answer to ensuring that key distribution and rotation is carried out in a secure manner?
If compliance with the Data Protection Act, PCI DSS, etc, is a requirement, then it is even more unlikely that business owners understand the implications. For instance, how would the business propose that the IT department carry out the periodic changing of encryption keys when the keys have reached the end of their crypto-lifecycle validity period? And how would the business propose that the IT department implement best practices on cryptographic algorithms and key management, for example NIST Special Publication 800-57?
“Even the best encryption in the world is not going to stop an employee from bypassing procedures and making a mistake that results in data leakage, or a rogue insider from giving up sensitive information for money.” That is the main message from a group of prominent cryptographers at the recent RSA Conference. According to the experts, “encryption is sometimes deployed improperly, leaving gaping holes that can be used by attackers to steal sensitive data. Other times, encryption is used on a small subset of an organisation's network – a risk-based decision that can have a profound effect on the security of interconnected networks.”
This often results from a business decision to try and ensure the most return with the least investment. The first order of business when any new C-level exec starts his or her tenure seems to be the cancellation of any investment in order to demonstrate their value to shareholders.
It’s time that organisations realised that short-term shareholder benefits and executive bonuses based on maximising profit and limiting investment is never in the best, long-term interests of a business. As Omar Baba might say, “safety check on airplane cost too much…we have life jacket!”