When do you hear about the left tackle? When he gives up a sack. When do you hear about IT security? When there’s a major breach. No wonder Chief Security Officers (CSOs) often take a conservative approach. However, security practices must minimize risks AND enable the business.
Let’s take this analogy a step further. How does the conservative football coach prevent sacks? He keeps the tight end in to help the left tackle, and both running backs to pick up any blitzes, leaving only two receivers to run pass patterns. The coach has drastically reduced the odds of a sack, as well as the odds of scoring any points. The overall goal can’t just be avoiding sacks but enabling the team to score points while protecting the quarterback.
Similarly, the conservative CSO takes a lock-everything-down approach – extremely limited remote or mobile access, overly restrictive access rights, no client-facing websites, and a whole lot of roadblocks for business users (e.g., no BYOD). However, at an organizational level, the overall goal must be business enablement, not risk avoidance.
The trap is thinking you have to be conservative to ensure security. Instead, take a proactive approach that ensures the appropriate security practices are in place to support the demand for remote or mobile access, expedited changes to access rights, and client-facing websites rather than throwing up roadblocks. For example:
- Implement advanced network segregation — which separates critical apps/data from the rest of the network — as part of your standard network provisioning procedures. This enables new initiatives such as a partner portal to be rolled out in a timely manner without undue risks. Your critical apps/data remain off-limits. Without this level of segregation, it’s much riskier to allow external access to your network, prompting overly conservative security practices that limit the business.
- Define Role-Based-Access-Rights (RBAC) to ensure consistent and timely assignment of user access rights. This streamlines user provisioning, enabling new staff to become productive faster. It also facilitates seamless transfers to other departments or changes in responsibilities. In a large company, without RBAC, it can take one-to-two weeks to approve and implement changes to access rights due to the number of applications and system owners that might be involved. Security becomes a hindrance to the business.
- Establish application development security standards that must be followed regardless of the application’s purpose. You never know when the business will decide to web-enable an internal application – for example, to support mobile staff. Applications are typically the weak points even in large enterprises with dedicated security teams because of the inconsistency at the developer level. Again, this prompts a more conservative approach after-the-fact to limit exposure.
The conservative avoid-all-potential-risks approach doesn’t work because staff will subvert processes to “get the job done,” just like the quarterback who changes the play at the line of scrimmage.
Instead, implement appropriate security practices that support business initiatives – and go on the offensive. Design plays that give you a chance to score points while keeping the quarterback upright. Keep the running back in to block and help your offensive line, but let the tight-end run a skinny post to the end zone. If you don’t score points (or make money), why even play the game?
For more advice on optimizing security, see the project blueprint Optimize Security Operations without Overspending (http://www.infotech.com/workshops/optimize-security-operations-without-overspending).