Do we get the IT security we deserve?
Balancing technology with governance
In recent weeks we have run a number of connected "articles" about IT security. In this, the last article in the series, we reflect on security as a whole, and reviewing some of your feedback.
We kicked off with a piece on "why IT security matters" . While we said that it would be a rare IT person who saw security as unimportant, as one reader put it, “I've never worked in any company where security was considered near the top of the list if at all.”
This is a shame, given what we said about the "threats" existing both ‘out there’ and within the corporate boundary. We don’t want to act as scaremongers, but one thing is for sure – attacks are becoming more targeted, and seeing security as someone else’s problem is ever less of a valid option.
Of course there are a range of security products which can help, but despite their continued development we have to recognise that they can’t exist in isolation. “Just like you can't pop a pill that'll make you fit and healthy, you can't plop a ‘security’ product into an environment and solve all your woes,” says Reg reader Pete.
This brings us back to the mantra of security-is-a-business-issue, which we highlight in a podcast on how to deal with the risks, here. Sometimes we feel we’re sounding like a broken record, but it is clearthat many organisations have yet to get the message.
Unfortunately, attitudes like those highlighted above can lead to security being sold more opportunistically, dealing with specific threats and solving short-term problems rather than trying to overcome the long term issues. Is it any wonder we end up with dissenting voices? As Pete continues: “Sadly the security industry is packed full of snake-oil sales people, proffering a quick solution. It's also packed with decision-makers after a quick-fix, due to the short-term planning and results based reward system of most companies.”
And there we really do have the nub of the matter. We get the security industry we deserve – and if decision makers are thinking and acting tactically, should we be surprised that the industry should respond in kind? If we really do want to get the kind of help we believe would work best – "to reduce business risks" through appropriate use of technology – we need to start asking the right questions of our suppliers.
On all sides, the consensus is that seeing IT security as a technical issue is missing the point. “Security starts with people, says reader Jake. Adds another reader, “It’s a business issue we’re dealing with, and it’s business information we’re protecting. When we talk about IT security, we should really make it clear that it’s not so much the IT we're protecting, but rather the information which is contained, processed or transferred across the systems.”
How should this be done? From your comments, the answer would seem to lie in good governance. But what does that mean, precisely? ‘Governance’ is a word that has been banded around with considerable zest in recent years. While there may be no real consensus, at its heart is the convergence of two principles – ‘doing the right thing’, aka making good (and indeed, ethical) decisions, and ‘doing things right’, i.e. running an efficient shop which delivers quality products and services.
“I have come to the conclusion that security is the result of good governance, not an end in itself,” says Steve Kay. “No-one protects a system for its own sake, but for the sake of what it allows access to.” Good call – but with security treated in isolation, it can be too easy for it to become an end rather than the means, with the inevitable consequences. “When businesses can't be bothered to govern, and allow the tools to dictate the end result, they will – quite deservedly – get poor results.”
An inevitable downside of weak governance is the need for stronger compliance – that is, if organisations can’t regulate their own behaviours, then this increases the need on the legislators and regulators to step in, which imposes yet more demands on the thinly-stretched IT department. “Any data protection security legislation is likely to cause additional damage, except to security consultants,” says Britt Johnston. “So one aim of all IT departments should be solutions which are good enough to avoid extra legislation.”
Ultimately, good governance holds the key to breaking what is a vicious circle between risk avoidance, increasing legislation and adoption of inadequate technologies, themselves used in a tactical manner. There are indeed practical steps that can be taken by organisations large and small, depending on what is their starting point – we have covered some of these in this series of articles. However such steps, if taken without the umbrella of a broader strategy, will only postpone issues rather than dealing with them head on.
If there is one thought we would like to leave you with, it is this: you are right. Security is not about the detail of encryption algorithms, or the configuration of a firewall. It absolutely is about business engagement, classification of information assets, implementing appropriate technologies, recognising the people issues and moving forward with a pragmatic, architectural approach based on appropriately set policies. Within this context, security tools can help – but let nobody expect them to achieve their goals in isolation.