Making IT security
Corporate IT security managers need to improve their communication capabilities and ensure they are "switched on" to the needs of their internal clients. James Turner reports.
Sun Tzu's The Art of War tells the story of a general who – when his town was to be set upon – ordered that the streets be swept, the gates flung open, and the flags taken down. The attacking general had anticipated a defensive stance, and was so unnerved by this unexpected situation that he suspected a trap and retreated.
We can reasonably assume the defending general knew that if he took a closed position he would be surrounded and crushed. The attacking general thought he was the aggressor – until he saw the completely open town. Expecting a closed position (defensive), he instead encounters an open position and interprets it as an aggressive position. Of course, we know it wasn’t. The lesson from this story is in the meaning we place in open and closed postures.
When learning chess, players are taught the value of space. Having your pieces able to move freely - unencumbered by obstacles – increases the strength of both your attack and your defence. When your pieces are well positioned, you are able to respond to surprise moves by your opponent because your pieces are able to utilise space. Your position is open, and so you have more options at your disposal.
These analogies are intriguing when we consider warfare, espionage, and public relations. But does the concept of agility through openness give us anything useful when we consider organisational IT security?
In many conversations I've had with IT managers, a common thread is the struggle to maintain IT security in the face of internal clients who want more flexibility.
Information security classically revolves around the confidentiality, availability, and integrity triad; but so often IT security is perceived as being hell-bent on delivering confidentiality and integrity, but only delivering these by not providing availability. Now, isn't this an ironic situation?
IT security blamed
IT security is there to defend that which is valued (the information) yet those who value the information want greater accessibility to it. IT security is commonly blamed for locking things down; disabling the business, being defensive, passive, closed, and hard.
Worse than our internal clients seeing us as defensive and closed, is if we see ourselves as needing to be defensive and closed.
One of the side effects of many organisations having a separate IT security group is the construct of an "Us versus Them" mentality. This antagonism is perilous to the internal agility of an organisation.
Australians are notoriously anti-authoritarian, and it would make my work so much easier if I just put a wireless router here, but those security folk are going to say "no", so I just won't tell them.
Some of the most elegant checkmates are achieved through letting an opponent's King get locked in by their own pieces. Doesn't that sound like so many IT security groups? In that defensive, closed, position we are unable to move fast enough to support the changing business needs, and we end up being the mighty rook which locks in the King and inadvertently assists in defeat.
Slow an organisation down
Obviously, the business is unlikely to end as suddenly as a chess game, and overly defensive security is more likely to slow an organisation down rather than stop it completely. But stuff happens. The security team sets the policy, but no one followed it, and then stuff happened. Is this ringing a bell?
Chess only works because one critical responsibility holds true for all the pieces despite their various roles: defence of the king. In an organisation: security is everyone's responsibility and needs to be included in job descriptions, employment contracts, and ongoing training.
When the security team maintain an education campaign for the entire organisation, and everyone is aware of and trained to assist in the overall security of information, then the "Us and Them" barrier becomes less hard and the organisation can move more freely.
Get your security team to throw open the gates. Not to confuse and trick the rest of the organisation; but because the underlying premise is so thoroughly wrong: there is no "Us and Them". We need to be open precisely because being defensive starts the escalation of conflict; and internal conflict is the fertiliser for disaster.
About the author: James Turner is an advisor with IBRS, an Australian company that provides research and advice to IT and business managers in Australasian organisations. James specialises in the IT security sector. www.ibrs.com.au