Wednesday, November 28, 2007

The Eternal IT Security Struggle.

There seems to be a constant battle between IT and users on the topic of security.

On one side, you have IT who tries to secure systems and on the other, users who chafe at restrictions, sometimes justifiably and sometimes not.

From the IT perspective, the only really secure computer is on that’s turned off and encased in a block of concrete (You could say that being turned off and unplugged is enough, but you can always convince someone to plug it back in.), so they try to restrict every point of access that they think is unnecessary.

Looking at it from this angle, users are as much an enemy as the hacker outside your network wanting in.

Users, on the other hand, tend to think any restriction at all is bad and constantly try to find ways around the procedures that have been set in place to secure the computers and network.

So, who’s in the wrong?

Both of them.

Both of those extremes are bad. Security will *never* be absolute. Instead, the best you can do is to manage risk. That means setting sensible policies and making sure that users follow them.

It comes back to a couple of what seem to be my favorite subjects in the field – resources and requirements, and cost/benefit analysis.

First, on the resources and requirements front, which is really basic survival 101 for pretty much any situation (what do we have and what do we need?), your resources are computers, appliances, network infrastructure, people, money (with which to acquire other, needed, resources), and your requirements are the rather nebulous concept of “security”.

Yes, security is a nebulous concept. That’s where the cost/benefit analysis comes in. You have to ask yourself questions like “how rigid do the rules affecting this area need to be so that we have adequate security while allowing our staff to do their jobs without jumping through too many hoops?”

For most places, that means setting workstation passwords. In addition, you may also have password protected network shares, a whitelist (or blacklist depending on how strict your security has to be) for what your employees can access outside your network, whether or not they can use a VPN from home, etc.

The answer to those questions will vary from business to business and it would be silly to try and tell you that you absolutely *need* X, Y and Z. In fact, after you set your policies, you need to review them periodically to see if they still meet your needs.

As time goes on, you may find that you need to make some things stricter due to increased threats and new regulations or you might find that some of the rules you thought were great are actually preventing your people from doing their work and can be loosened a bit.

Security isn’t just a set of rules or a box you put on your network. It’s a constantly evolving set of procedures and resources (both in the form of equipment and people).

Part of that is listening to the people the policies apply to. Yes, sometimes users make unreasonable demands and it needs to be explained to them that the demands are unreasonable (and why) and management needs to stand by that decision. However, they are also capable of making suggestions that you might not think of because they work with things in ways that others don’t.

IT and “regular” employees need to work together. If they’re fighting each other, things aren’t getting done. I know that I’ve heard the argument of “IT is a cost center and *we’re* the ones who make money” far too often. The fact is, it’s true, salespeople do bring in money. However, without IT they wouldn’t be able to. What’s more, IT can help *save* your company money which is good for your bottom line.

The point is that everyone in the organization is both part of the problem and part of the solution. Stop drawing lines in the sand and try working together for a change. You might find that the results are much more to your liking.

Current mood: calm
Current music: Rise Against – Paper Wings

No comments: