Blogger: Phil Schacter
The more we debate who owns security and is responsible for enforcing compliance and technical controls, the more we should realize that security needs to be everywhere and everyone needs to be involved. The days of IT security being effectively operated by the mainframe RACF or ACF2 administrator, or by the network security operations team administering firewall and router ACLs, are long gone.
A few examples of the many places where security resides within the organization and business environment:
- Security controls operate on the devices that access business IT functions, subject to the security-aware user avoiding actions that would compromise the device.
- Other controls are enforced by file management systems, content management systems, and enterprise data base management systems to ensure that users are only able to access information that is required based on their current job function, organization role, or relationship to the business.
- Custom and commercial developers are responsible for delivery of software that is well tested and free of known code vulnerabilities.
- Network and content monitoring tools should recognize unacceptable behaviors and be able to determine accountability at the user, device, or application/service level.
A failure anywhere within the information, application, or identity life cycle could break security and expose the business to a growing array of insider or external threats, in spite of our best efforts to implement a defense-in-depth strategy.
A systematic approach to security is clearly needed to establish security as a basic quality to our IT-enabled business services. Security cannot be imposed and realized by an external regulator, or by a CISO drafting a new policy document, or by implementing all of the recommendations coming out of an IT audit report.
One of the steps that an organization can take to improve security across all aspects of the business and the IT organization is to have business executives clearly communicate to all employees the importance of security to the brand and economic well being of the organization. A continuous security awareness and education program is needed to help all users and IT staff appreciate why security is important to the success of the business, and how individual actions contribute to the effectiveness of security controls. Such an awareness program is a bargain with minimal impact on the overall IT and security budget, often leveraging existing internal newsletters and electronic communication programs.
Security is also not something an organization can purchase from any vendor or combination of vendors. Achieving business and security goals requires everyone in the organization to play their part. This effort may be as simple as being aware when someone is paying too much attention as you enter your password, or attempt to tailgate as you enter a secure facility, or not accessing a private web mail service that circumvents organizational malware filters. You get the idea…