What does good security look like? I'll describe it, or my understanding of it at least. towards the end of this post.
In a perfect world, it would be possible to have the proper security controls in place everywhere, and people would respect why they are necessary, and get used to them to the point that they are just second nature. People would understand that technical controls and user policies and processes are there for the protection of all.
In the real world, security costs money in itself and also slows down the way your average worker... works. Technology isn't perfect and your average worker gets things wrong resulting in calls to the help desk for support. Technology requires teams of people to manage it. Users need training, audits need to be carried out, enforcement needs to happen, alerts need to be responded to, and the evolving threat needs to be observed and adapted to. The lower the historical culture of security in an organisation, the more people will inevitably see security as a threat instead of protection.
Strong security is only suitable for organisations with high risk and large budgets for technology and trained security staff. All other organisations need to constantly watch the threat indicators and adapt to address them. This tends to result in excessive levels of policy or controls being put in place, which either turn out to be unenforceable or too costly when or comes to implementing new technology.
Eventually over several iterations of change (or attempted change), enforcement (sometimes with a healthy side of conflict and confrontation), and measurement, an organisation with a good security team will reach a point where things are relatively stable. Users start to come to terms with the processes and accept them. Depending on the baseline security culture, this might take 6 months or 2 years, perhaps more.
Why can't we just perform risk assessments and set policy accordingly, and then start firing people who don't comply? Well maybe in some companies this will work, but probably not in most. Certainly, if two or three people lost their jobs or bonuses due to stubbornness and refusal to comply, the message would spread fairly quickly. But unless a business is clear on taking this kind of approach from the beginning, you will need a more subtle strategy.
You will need allies. You need to find who in the business "gets it". You need to filter out the people who say the right things with no genuine intentions, and the people who just don't want to engage for whatever reason. Possible reasons include other work pressures, or the emotional response that comes about when you try to force behavioural change. This is a very tangible thing, although it might not sound like it.
Once you've figured out who your allies are, and convinced them that you know what you are doing, you can begin making progress. Progress in security has to be collaborative with input from stakeholders. This has two main benefits in that the resulting policies will be more appropriate, and the people providing input will be aware of the new policy and feel as though they have contributed to it.
I'm an idealist and I despise politics. I hate having to second guess what people's intentions are when we're all supposed to be on the same side. The security of the organisation is paramount yet there are sometimes people in the organisation who see it as a threat to them getting things done, changing the way they work, or just making them look bad.
To do security, you need to start to recognise what people's agendas are. What are their objectives? What affects them getting their bonus? What is their history and what are their aspirations? What are their favoured vendors and suppliers? Who are their mentors and allies?
You have to sharpen your tools in strategy and diplomacy, or at least spotting where politics is at play. You must be unrelenting in your vision of protection for the business and everyone in it, even when they fight against you. When someone knocks you back, sometimes you have to let them win that battle and regroup to consider how you will approach the problem from a different angle. I don't claim to be a master strategist, politician or diplomat, quite the opposite. But I've started to appreciate how much of a factor this is in business, and identify when it is blocking progress. In the absence of an actual appetite for politics, my strategy is instead resilience, tenacity, honesty, transparency, and integrity. It is these qualities, and not the alternatives that get an organisation where it needs to be.
So where does it need to be?
Some aspects are so common sense that they should be set in stone. Others require establishing the appropriate level of control, which will look different for each of MI5, a bank, a private company, a public company, a membership organisation, or a creative house, etc. This is what the vision of good security that I mentioned to begin with looks like:
Firstly, employees understand the risks to their personal lives as a result of bad security practices. They spend the time to protect themselves, which in turn reduces risk in the business. They also understand that if the business fails, it is not just they who lose their income, but also their colleagues and their families. This moral obligation results in an increased sense of ownership and responsibility for individual security. It also eliminates the politics that get in the way of good security.
Secondly, the policies and processes are correct and appropriate for the risk profile of the business.
Thirdly, because the policies and processes are correct, the business understands exactly how much spend is required on technology and team members. Server and client operating systems and applications are patched. Alerting systems are fit for purpose and response is timely and appropriate.
Fourth, security gates are embedded at the correct points in all business processes. This includes recruitment, projects, procurement, as well as day to day operations, payment handling, firewall requests, new users, leavers, visitors, etc.
Finally, for now, security teams have responsibility and time set aside to analyse the changing internal and external threats to an organisation and develop defences. Sometimes this includes learning and practicing what the bad guys do in a safe environment.
This list may evolve over time. Future posts will provide some examples of how to achieve successes towards this utopia so keep your eyes peeled for those.