Blogger: Eric Maiwald
A number of years ago I knew a security manager – we will call him Joe. Joe worked for a division of an enterprise and was originally hired as the head of IT security. One of the first things that Joe did when he came on board was to write a security policy. It was huge and covered all aspects of IT. Unfortunately, Joe wrote the security policy based on his experience and knowledge without consulting the business users. When Joe tried to implement his policy, he found that the business users were not too interested in implementing it. The complaints included everything from “that’s not the way we do things” to “I can’t do my job if I have to comply with all of this.” Joe pushed his policy, and the business pushed back. Most of you can guess who won – yup, the business won, and Joe ended up reassigned and working under QA in the software development department.
In doing recent research into network security architectures, business concerns also came up. It was not only that security could not interfere with business, but even IT as a whole could not interfere with business. Policies that required business users to function in certain ways did not go over well. In fact, if the business executives didn’t push back (and get the policies changed), the business users would work around the policies and security controls. Even in cases where business executives are on board with (or at least not hostile to) the security policies and controls, users can still cause problems if they are not trained as to what is expected of them.
So what does this mean for the security professional? Clearly, security professionals cannot rely solely on technology. We may find the greatest product in the world but if we interfere with business or even if the product (or control) is perceived to interfere with business, it will fail when implemented. Security professionals cannot ignore how business works. We cannot ignore the needs of the users, and we can certainly not take user knowledge for granted. Security professionals need to create a partnership with business and with users in order to manage risk to the enterprise. This does not mean that no security control can be implemented. Through a partnership with the business, security professionals can explain the purpose of the controls or policy in managing risk.
More results from the network security architecture research will be presented at Catalyst North America the week of June 23 in San Diego. I hope to see you there.