Growing Up

The world of security has changed dramatically since the events of September 11th and it’s time for the “teenage” security departments to grow up and for the business to treat them as adults.

This column marks the end of an era for me at Server Management. After more than five years of security columns for the magazine, it’s time to pass the baton to one of my colleagues. Nigel Stanley will be taking over the role of security editor, and I know he will bring a fresh perspective to what continues to be one of the most important areas of IT. I’m taking on the role of enterprise strategy editor. My new regular column will cover both enterprise architecture and strategic planning issues.

My first security column was written in April 2002, just a few months after the 9/11 attacks. Until then, many companies had just been thinking about IT security in terms of targeted hacker attacks, viruses and worms. An IT security department (assuming one existed) had to mitigate those specific threats and respond to an attack if it occurred. If it got that right, its job was done.

The fundamental change that happened immediately after 9/11 was companies thinking about IT security in terms of business continuity. Companies began to seriously ask themselves the question “What will happen if I lose a building, or there is a regional disaster?” Probably the most important thing that emerged from this shift in mindset was that IT security departments began to expand their horizons and way of thinking.

Teenage years
At the end of 2008, I’m seeing two types of IT security departments – those that have grown into mature adult centres of excellence, and those that are still wrestling with teenage angst.

“Teenage” security departments are generally very reactive, and while most will rely on security bulletins to keep abreast of the latest threats, some may only become aware of them when there is a major incident. IT security in this type of organisation is about keeping the lights on, and the team is doing its best to respond to issues with the staffing available.

Frequently managers in this type of department complain of being understaffed. Another problem that these security departments have is being rewarded for their own success. If things “go quiet” they may see their budget being trimmed, as the business believes that threats have been mitigated. Over time, budgets swing like a pendulum as security becomes more or less important for the business or as particular projects are funded.

The business also has difficulty in understanding what IT security does, and sees it as a cost centre that doesn’t provide any real value in its own right. Project managers see IT security audits as adding cost and providing little value, and end users see IT security measures as ways of making their lives more complex, to the detriment of their productivity.

By contrast, “adult” security departments have got their act together. They are proactive and strategic in nature – typically spending as much time thinking about tomorrow’s battles as fighting today’s and yesterday’s. Their staffing is stable and sufficient to meet the challenges they face (even though in reality the department may be no larger than the teenage security ones described above). Their funding is also stable, and they are seen as a partner to the business in addressing the challenges that it faces. The work of the IT security group is well communicated throughout the organisation, and all users clearly see the value that IT security is providing. In many cases, users are proactive about contributing to the overall security of the IT environment.

Reaching maturity
Obviously, if your IT security department is a “teenager”, it needs to grow up. Fast. But how do you get there? In every case where I’ve seen the transition work well, there has been one common theme: senior IT management has made it a priority to get IT security intimately involved in the business. This is important on both sides of the relationship. If the business doesn’t understand IT security, it’s likely to cut its budget and not help IT security meet its goals. But at least as critically, if IT security doesn’t understand the business, it cannot hope to be truly successful.

The role of the IT security department should never be to have the maximum security possible for the budget available. It should be to provide appropriate levels of security for the needs of the organisation. It is not intrinsically right or wrong to implement a particular security mechanism. The decision should be based on a thorough understanding of the needs of the business.
Some in IT fundamentally don’t get this. For example, I’ve been asked questions like “Should I implement a network intrusion detection system?” without any other supporting information.

The implication here is that there is a technically right or wrong answer, and that that is the only thing that matters. Once you start thinking about the needs of the business, it becomes clear how impossible it is to answer that question.

Working together
When IT security departments are closely involved with the business, great things can start to happen. IT security plays a critical role in educating the business in the risks associated with funding or not funding particular initiatives, and the well-educated business leaders can than make a decision based on the risk they are willing to absorb. OK, this is an ideal situation, and it’s unlikely to exist in many companies. The point is, though, that these decisions are not black and white technology issues. The analogy I typically use is that of a burglar alarm. The burglar alarm companies tell me how their product will protect my house, but it’s my business decision whether I spend money buying the alarm.

A good understanding of the business also helps the IT security department understand how to take a position on new technology that enters the business. Imagine a new service is being implemented that monitors the files users are accessing on their local drives and file servers, and generates consolidated reports for business managers. Two SaaS vendors are being evaluated. In each case the file type is sent across a secure channel, along with the details of the user that accesses it. This would allow you to see, for example, that Joe Bloggs is accessing lots of MPEG files. But one of the SaaS vendors offers extra functionality, enabling you to drill down further and see the specific file that the user is accessing.

Whether this extra functionality is needed depends on business considerations. The company might want to know if particular sensitive files are being viewed by its users. On the other hand, it might be more worried that in a lawsuit a rival company might request a litigation hold on the SaaS data. Only a well-educated IT security department, working in partnership with the business, could know which of those two concerns is more important.
Once the IT security department and the business are working more closely together, it will be easier to make the business understand the value of IT security, and of making IT security more proactive. Ultimately you need to ensure that at least some in your IT security organisation are involved in thinking strategically about problems and in preparing the organisation for change.

Change can take many forms. There may be a change in the way threats emerge, or in vulnerabilities that are exposed. There may also be change in the way security measures are deployed or in the security measures available. But at least as important are changes in the overall IT environment – changes that mean protecting different things, for which existing defences are no longer adequate. I’ve been referring to some of these, including smarter devices on the internal network, virtualisation and cloud computing, in recent columns. The last of these trends, the shift of IT resources to the cloud, is the one area that will fundamentally transform the way we approach IT security. When services are provided out of the cloud, you will have less control over them and their security. Instead you will have to focus on what is being provided by the cloud and ensure that it meets the security requirements of your organisation.

Making mistakes
In planning for the future of your IT security department, you will make some mistakes. I’ve certainly made some in my predictions in this column. However, one prediction I am confident about is that IT security will continue to be a vital area, and that jobs in IT security will continue to be interesting, varied and challenging.

If you have been a regular reader of this column, thank you, and I hope you continue to enjoy reading it under new ownership.