The challenging responsibility of leading security within an enterprise can be successful or disastrous. Security in principle is black and white, however, implementation and the real world is gray. When security personnel operate from a binary perspective on security principles it fosters a false perspective of an ideal enterprise security posture. It does not exist and will frustrate security objectives. We as security personnel are charged with understanding how the enterprise functions so that we can provide the desired security direction and expertise as a business enabler. We can then more effectively determine risk associated with implementation, and risk identification will determine investment is securing the implementation.
Many times the security conversation is nothing more than just that, a conversation, because the security team is unable to speak in a language the business or other IT teams can understand, let alone in a compelling manner to influence change if a solution will introduce risk or undermine security. If we are insisting that certain technologies must be implemented, then we must be able to bring this full circle and tie this position to supporting processes, policies, standards, business needs, and risk.
Application developers are a great example of a team that typically steers clear of point solutions and looks for options that easily insert into their existing processes and are repeatable. Working closely with other IT teams will prove to be fruitful and help achieve security-focused goals when collaboration and cooperation are encouraged to collectively decide on security solutions.
The current security architecture is not meeting the current enterprise trends such as bring your own device (BYOD) and cloud initiatives; it also does not address the internal network facet of information security. This gooey, soft inside has traditionally been neglected because the current security architecture deemed internal assets, employees, contractors, and business partners as trusted. The same security controls are typically not mandatory for the internal communications as in the perimeter, however, this is where an enterprise's most sensitive and critical systems and data typically exist.
Example shortcomings of the current security architecture are:
It fails to secure internal assets from internal threats
It remains static and inflexible; small deviations circumvent and undermine intended security
All internal users are equal, no matter what device is used or if the user is a non-employee
Security is weak for enterprise data; access is not effectively controlled at the user level
We have done what the security industry vendors want us to do, buy security appliances and software and implement them, regardless of whether it actually increases the security posture of the organization. Some trends indicating we are doing it wrong are the significant increases in data breaches and more moves of security implementation to the cloud and other managed security services. This is indicative of implementing point solutions with little to no integration, limited in-house expertise and/or staff, and the overwhelming amount of data produced by the solutions. So while we have done all the correct surface things, we have in fact produced little positive impact, while complicating security.
What do we do when an implementation cannot be implemented per this current "security" architecture, or access that is requested causes the architecture to be broken? We compromise; not only on the architecture, but on the security of the enterprise. New security architecture must be developed to address the issues outlined. The remainder of this book presents a methodical approach to better positioning security in the enterprise and looks at how to implement flexible and agile security architecture to enable the business to take advantage of the latest trends.
The zealous security professional will often focus so intently on the responsibility of securing the enterprise that they miss the business objective. This leads to security personnel having tunnel vision and only seeing one set of methods to secure an enterprise. This tunnel vision can be detrimental to the success of the security team overall and can have a negative influence on design and purchasing decisions.
Because security is not a commonly and generally understood IT function, it can be difficult to get upper management and other IT teams to give buy-in. This is evident when security is asking them to make costly network changes, or change the way a solution is to be implemented and the security team has failed to provide a compelling rationalization to do so. Why is this? I think, because we have not spent the time to understand how the business functions and we do not always have representation at the highest levels to present our case. In my experience, organizations that are missing a security focused executive-level sponsor are at a significant disadvantage of successfully implementing a security practice that really reduces the risk to business. What an individual at this level can achieve far exceeds the capability of management at a lower level because of the position of influence. It is much easier to influence laterally and downward, but very difficult to influence upward.
Discussions at lower levels within an organization tend to be more shortsighted, specific to an implementation, and more emotional. For example, when security becomes a topic during an initiative, the implementation of this initiative may be an individual's or team's vision, and now security is seen as threatening to complicate the implementation or halt it, maybe at an additional expense. Often, security is an afterthought, and is therefore not well received. Having a security-focused senior management position or having a security architect (team if needed) that is responsible for the overall security architecture of an organization can avoid or lessen the burden of this scenario. It should be noted that all enterprise employees are responsible for security and must embrace the integration of security into all applicable IT and business processes. The security of the enterprise is only as good as the weakest link.
If security is communicated as an enterprise priority and is generally understood, we might think that we should be able to do whatever it takes to secure the enterprise. However, this is not necessarily always the case. At some point the cost valuation has to be determined before an enterprise makes a decision to take on additional expense to implement security controls. The difficulty in providing quantifiable data to back up the cost and request for security-related purchases is significant; we must learn to operate smarter according to more intelligent security architecture.
Let's think of it like this. If an intangible is presented such as if we buy security product "X" we reduce our risk of being hacked costing the enterprise a high-dollar figure and another team is presenting an expense that is tangible and quantifiable, where do you think the money will go? An example is: the security team wants to spend $150, 000 on a web application firewall; there is no data on current attacks against the enterprise, just the latest report on the Internet showing the trends in data breaches associated with web application security. Another IT team needs to buy servers because the current servers are at capacity and without the purchase, several key IT initiatives will be impacted. This is not to say the latter is not valid, but this budget contention will always exist with the server team or some other IT team. Again, I ask, where do you think the money will go?
It is rather predictable because security has become a bit of a cat-and-mouse game, and we are losing. So the next best thing to winning is detecting and mitigating last year's threat. This makes the security budget every year a bloated figure that leaves the security team vulnerable to not being able to properly secure the enterprise and fighting for every cent to do so.
The overall reason why this is the case is due to the failing security architecture of yesteryear that we keep trying to shoehorn everything into. There are methods to reduce the security spend by making more intelligent business-focused decisions, that allow the business to be agile without compromising security, or at least with reduced risk.
We as a security industry are too focused on one thing, "numero uno". That is to say that no one apparently in information security seems to be interested in actually solving the issues we face, but just to profit by keeping the well-oiled machine running. We have factions within security that say "do this, don't do that", while other groups are saying the opposite. This leads to teams of security personnel having very different ideas and views on how to implement security for the enterprise, determine risk, and handle day-to-day security operations.
An example of this conflicting message is the great debate on the subject of penetration testing and the false sense of security some believe it produces. There is great benefit to be had by consistent testing of enterprise security. The issues as observed are the lack of business justification, "value-added" when there is a lack of quantifiable findings, and knee-jerk reactions of buying something that probably won't fix the real problem identified.
Our trusted security vendors generally develop other conflicting messages on what the real issues are and how only their product or service is the solution. Remember, each has the best solution for you, choose wisely. One will recommend their file integrity monitoring, another their whitelisting application, and yet another will recommend their next-generation firewall. What is management to do? The best solution will have to be determined once the proper security architecture has been developed and accepted at the highest levels of the enterprise. Execute to this, not the latest marketing slicks.
Enterprise security is truly a risk-centered balancing act between business initiatives and security. The vendors will sell their products and experts will have their opinions. However, ultimately the enterprise security professional will need to decipher how each impacts the security posture of their respective enterprise. Once this logic is applied, the message is no longer conflicting because you, the professional, have made sense of the messages for your application of security. It may be difficult to get other IT teams to see the same perspective. Communicating security tool effectiveness and the expected impact to risk reduction and securing the enterprise will be the best way to decipher the sometimes-confusing messages communicated by the security industry.
One of the most significant challenges in information security is proving a negative. This is to say for example, if specific steps, or actions are taken or a specific technology purchased, we are preventing what would be successful network intrusions. This is in part because there is no technology deployed that will give us this information and in part because we only learn of a small portion of breaches. Even if breaches are reported they may not happen in the same industry vertical or may lack pertinent details, and therefore do not provide any meaningful statistical data to justify security expense.
It is a challenge to get the executive board or other IT management excited about information security, and the price tags of the line items on the annual security budget. The traditional approach to information security decision making will fall flat on its face without a well-defined security architecture that is understood and adopted by those who will ultimately approve information security spend. This will have to be carefully approached using any and all applicable data that can support the position of the security team.
Ultimately, you can never prove the negative or convince senior management that changes need to be made in order to properly secure the enterprise without compelling data. A feasible method may be a well-written business presentation of applicable threats, assessed risk, and a recommended mitigation strategy for the enterprise. Also, providing a road map can be very useful if significant cost is associated with getting the enterprise to a proper security posture. Realizing this is an ever-evolving and moving target, a roadmap can allow for flexibility in strategy implementation over a period of time.