I wrote earlier this week about Identity and Access Management (IAM) and how it’s important for Infosec (Information Security) to be involved with projects early. The post generated a few comments and some commentary on twitter, mostly from Infosec folks. Some complained I was too harsh on Infosec (I wasn’t) while others worried that I didn’t go into enough depth (I didn’t). In my mind though, it raised the issue of why there is such friction between Infosec folks and the rest of IT.
Let me start by saying security is hard. That’s just a fact of life. It’s difficult to secure against everything, especially when many of those things are unknown. Yet, it doesn’t mean we should forget about security, but we do have to be realistic. If someone really wants to cause you a problem and is determined enough to, they most likely will succeed. Your job is to make it a little harder for them and to prevent as much damage as possible. At the same time, your goal is to make sure that the doors aren’t left wide open for those who are passing by and could see an opportunity.
Don’t forget my disclaimer, I am not an Infosec guy and I don’t even play one on TV. That being said, I believe that security in an organization is everyone’s responsibility. It’s not just all those hard working people in Infosec, they lead the charge but they still need the army to back them up. We, the every day employees are that army. We have to understand the basics, things like having a good password, not leaving your device open and logged in while at the coffee shop, and understanding what a phishing email looks like among others. When we see something funky going on, we should say something.
This is where some of that friction comes in. Not everyone in Infosec believes that every person should be doing security. They believe it’s their job only. My answer, grow up; you have better things to worry about. When you partner with your users you will have a much easier time getting stuff done.
The second place that friction comes in is simple; many in Infosec think that every day users are stupid. They need to be protected from themselves and Infosec is more than happy to oblige. Among other things, they throw up proxy servers that cut off all contact with the outside or they setup firewall rules that block everything. Infosec then wonders why everyone is going outside of the work network to get things done. They use their phones as wireless hotspots, they figure out a backdoor to getting around the proxy server, or if they’re really smart, they discover that a VPN defeats all that magic blocking. A lot of this is done to manage risks without understanding rewards. Years ago, I was in a new job and one of the things I had to research was Mobile IM clients. Nothing fancy but a way to connect our internal IM with our mobile devices on the go. I fired up my browser and quickly discovered that all ‘chat’ client websites were blocked. Ok, fair, I went and got a security dispensation, as it was my job requirement to understand these products after all. It took, after getting an approved dispensation, arguing with 2 different security personnel and then 4 weeks working with the firewall person to create the exception to the rule. Do you think I stopped working on the task at hand during those 4 weeks, absolutely not. I found a way around the issue and got my work done. It was my own little case of shadow innovation.
One of the things that Infosec really has to do is learn to work with their users. It’s much easier to have people follow the rules when the rules make sense to both sides. That doesn’t mean you have to let people run wild. Just that you have to work with them and understand there needs. Infosec is as much about security as it is risk management. One of the best ways to manage risk is to work with people and figure out the best way to enable them in a secure way. It’s time for Infosec to move away from the department of No and become the department of Know, where it’s about securely enabling people. This is going to require Infosec to become design thinkers. They will need to understand how to make security work in systems that are being modified every 6-12 weeks so people can be more productive.
It also requires that the business, IT, and the developers start trusting Infosec. They can’t stick with the same model of designing an app or project, building it, and when release time rolls around submitting it to security for approval. That’s a direct line to a deserved delay or freeze in a project. The Infosec team has to be involved in projects from day one. If they are expected to be design thinkers, they need to be involved with the actual design of the product. Only when they are aware of the business requirements and understand the users’ needs can they truly enable the product securely.
In the end, the goal of Infosec has to be to minimize the risks a company is facing while at the same time enabling their users. It’s not an either/or proposition. If you do one without the other, you will eventually fail.