We’ve all heard and many of us have said that everyone has their part in security. In other words, everybody in the organization is responsible for security in some way. But talk is cheap – what does that really mean? I’ve seen organizations where IT is fully in charge of security. Literally no policies, minimal security-focused processes, and certainly no user involvement. From the point where security starts to the point where it ends – it’s all about IT. On the other end of the spectrum, I have seen organizations that touted their user awareness and training programs ad nauseam to the point where one would assume that the only thing keeping security afloat is each individual employee.
I have found that in order to run and maintain a well-balanced information security program, there has to be a good balance of technology and personal responsibility. Technology on the part of IT and security teams to help enforce documented security policies and support secure business processes. Personal responsibility on the part of each and every user on the network in terms of using their computer systems to do what’s in the best interest of the business. One of the things that I have found particularly troubling in terms of information risk management is the notion that IT handles everything related to security. I believe that part of this is brought about by general ignorance of security concepts but it’s also related to the Nick Burns mentality where IT professionals rudely come to the rescue of everyone’s computing challenges.
Rather than and IT versus everyone else approach to security, the end goal has to be not only doing what’s the best interest of the business but also providing the means to set up every user for success in the process. I met an IT leader in higher education recently who said that he does everything in his power to make sure that he and his IT staff run their program by the motto we enable work. He said that every decision involving security was made with the end user in mind. I wanted to hug this guy’s neck because I’ve never seen such an approach to security. In fact, the entire portion of my security-focused career has uncovered example after example of security getting in the way of doing business.
Every user has their part in security – to a point. Don’t get me wrong. I’m a firm believer that users are a large part of the security challenges that we face and I don’t envy anyone in a position to balance user management with locking things down and staying compliance with the regulation du jour. Still, it’s incumbent on IT and security professionals to do what’s possible to make security transparent to the users. I will argue that users should be completely out of the security decision-making process altogether. They shouldn’t even have to think about it. Once they do, that’s when trouble arises.
Step back and think about the dynamic between you and your users. How is the relationship? Would management say the same thing? What if you brought in an outsider for a day or two to consult and look for deficiencies in this area? I’m guessing you would hear a very different perspective. Do what you can to narrow that gap between yourself, your staff, and your users. Just know that it all lies in properly-set expectations.
About the Author
Kevin Beaver is an information security consultant, expert witness, writer, and professional speaker with Atlanta-based Principle Logic, LLC. Having over 28 years of experience in the industry and 22 years focusing on security, Kevin specializes in performing independent security assessments of Web applications and network systems. He has written 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.
Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
Toolbox for IT.
Source: SANS ISC SecNewsFeed @ May 2, 2017 at 12:09PM