I don't normally "re-blog" but I found this article quite interesting --
20 of the Best IT Security Lessons Ever Learned by David Spark
It grabbed me with the first one:
Tip #1: Security must enable business, not prevent it
and then really hooked me with:
Tip #4: Teach the basics again and again
"you can be far more effective just educating personnel about simple secure practices, over and over again"
Tip #11: In a business vs. security battle, business is always right
Which shows a guy holding a chalkboard that says "There is no security risk. It's all business risk."
Good article. The first point - omg, isn't that an old concept? Remember this book? You may not like or agree with Gates, but read this and realize this was first published in 2000. He was telling businesses that you need to leverage your geeks to give yourself the advantage. And he was also telling geeks that they need to provide business value - not just geek giggle. I remember that time in computing. I had gotten my MCSE in 1998 and CCNA in 1999. The 'big thing' was what you could do - not what you should do. Projects were created just to prove you could do something, not because they had any business value. Heck, we'll figure that part out later - let's see if we can make it work first. And then a few years later, the tech bubble burst and everything changed. One of the reasons I went for the CISSP is the focus it has on business rather than pure technology. Granted, I have the technology background - it's not enough (for me). Fellow Geekateers - wake up! The businesses are where the MONEY happens to be... remember? We work FOR the business, they are not the enemy. They are not the people who are making our jobs difficult; we are making their jobs difficult. You have to make the secure way the EASY way of doing things, or else you will get someone somewhere going around the system. Or if you are that immovable block "protecting" the network - yeah, you can be removed. (Psst - the business will see to that.) And in security, all you need is one weak link to break the chain. Just one person (especially an insider) with a reason and perhaps business permission to circumvent the controls and you have just opened the door to someone following behind them.
So now about #4 - that's a favorite of mine too. You have to teach the basics - and not just nag. You have to get out there and talk to people and train them to think securely. You will not be with them all the time. You will not be able to train them on everything. They will not remember everything. So keep it simple and teach the principle of the matter. Teach them - if YOU can access it, then a malicious user can access it - with your credentials. That way people can retain the idea and apply it to new situations - like when you go from one type of credential to another...["well, I know you shouldn't share your password, but I just let him have my ID card for just a few min to go to the bathroom..." ]
And again...#11... that business thing. The guy with the sign is right. It is ALL business risk. From security to maintenance - it's a business decision.
However - the place where I see both security and business falling down is the reluctance to identify data with different levels of business importance. Business doesn't want to pay for security to take the time (or their time) to properly identify business value. And security wants to secure everything. It's a WASTE OF MONEY to lock up a head of lettuce. I've seen time and again (at a number of companies) where they have a blanket level of security over everything. Sometimes it has been so severe, that many people can't properly do their jobs. Or they waste vast amounts of time employing (or going around) the security measures to complete a simple authorized routine task. At the same time, business-sensitive data is treated the same as all the other data on your network (in the belief that it's all locked down). Is it really secure? If everything has the same level of security and you just got around that security to do some routine task... what about the sensitive data?
There's one tip that they left off - or perhaps may be #21:
Bad security is worse than no security.
If you think you're secure and you have bad security, you won't bother to "fix" something you don't see as broken.
Posted by BlueWolf on August 25, 2012 08:19 AM