Ninjas and Accountants

We’ve talked about reasons IT security can fail and suggested the industry needs to do more. So what else can be done and why is the industry not stepping up?

I’d say it comes down to misunderstanding of what security is, an underestimation of risk, and misapplied resources. Organizations are deploying ninjas and accountants to solve their security problems and while these roles are important, they’re insufficient to secure a decent sized organization. I think we need a broader approach. Organizations can apply with a security framework like  ISO 27001, which includes items like leadership alignment, planning, and risk assessment to jumpstart the process.

Guidance helps because even experienced IT leaders don’t understand security very well. They tend to regard security as another technical problem in their technical environment. So they buy and configure technology, and as with other technologies, they’ll find a technician to run it.

They’ll look for the most technically proficient engineer they can find with broad understandings of the components of security – a ninja. From the organization’s perspective, this ninja should be skillful, protective, and most importantly, silent. For many organizations, it’s most convenient if the ninja not ask people to change areas like applications, architectures, operations, or human behavior to be more secure. Better that they do their work in the shadows and not bother anybody.

IT leaders often give minimal guidance and support to these ninjas. This isn’t so much because they don’t want to, but rather because the leaders don’t know what support is required. Ninjas tend to say little because, speaking in broad generalities, they’re not always the most social type. They enjoy security and like to focus on their jobs, which means they prefer to minimize talks with the boss. This creates an environment of de facto benign neglect.

OK, to be fair, it’s not total neglect. IT leaders often apply the IT security aspects of regulations like Sarbanes-Oxley, PCI, GLBA, and HIPAA, not least because they’re required to and they’re told it’s the right thing to do. These regulations include guidance that represents a minimum bar for security configuration. They’ll use accountants, i.e. security auditors, to create a “security by checkbox” approach to verify what the ninjas have done.

While this is useful, it is insufficient to ensure security of an environment. Truthfully, the bad guys know all about the regulations, see their weaknesses, and are expert in exploiting organizations that stop there.

To see why security by checkbox isn’t enough, let’s imagine we’re leaders of a country that wants to defend itself.

If we were to take a similar approach to defending our country, we might imagine that we want to be safe from an enemy army. We look at other armies and see they have a lot of people with guns. We decide to mirror them by buying guns, training people, and deploying our army on the frontier. We’ve spent a lot of money and see people with guns so we assume we’re safe.

Simultaneously, we have a previously unknown enemy who sees our activity and looks for weakness.

We haven’t thought about who our enemy could be or created an intelligence community to find out. We haven’t considered what’s most at risk in our country or established foreign relations with our neighbors for support. And finally, we have the army but we haven’t really committed to being safe, which means we’ve underfunded the effort.

Essentially, we’ve spent a lot of money to give ourselves the perception of being safe.

This means nothing to our enemy. He easily finds a weakness and we’re surprised when he’s rolling through our capital city. Worst of all, we knew about this weakness but were unwilling to fix because it was too much trouble.

This what happened with the Maginot Line, France’s ineffective defense against Germany, leading to their quick loss at the beginning of World War II. Sad story.

Does this remind you of some of the massive surprise data losses we’ve seen recently?

Our takeaway is that a false sense of security is worse than no security at all, and that deploying assets without a  strategic plan – security by checkbox – is an invitation to loss.

Most organizations already know this, even if they don’t appear to. After all, skilled business managers wouldn’t apply only ninjas and accountants to new product development, customer service, distribution, or sales. Instead, he would create a structure around those business processes to ensure their resiliency and ability to adapt to changing conditions. He knows this is necessary because he’s been steeped in capitalism’s competitive culture. He also knows that he will go out of business soon if he doesn’t take care of his business processes.

Computing has become the backbone of many organizations’ business processes, yet it has not been subject to the same discipline as other processes. I’ll discuss this in detail in a future post, but it basically boils down to that benign neglect. IT workers and consultants often know there are problems and could do more, yet they often find it easier to keep quiet, mostly because they’ve found business leadership isn’t open to the discussion. Business leaders have not awakened to the need to apply the same discipline to computing as the rest of their processes. And in the end, ninjas and accountants won’t get it done.

I recognize that it’s hard to do something like this from scratch and security frameworks are a helpful way to start. Even so, they still only provide some basics and organizations must apply their own discipline to ensure proper security, both protecting and enabling the business.