Most security solutions are a trade-off of ease-of-use versus security. As computer security measures grow in importance,
previously uninterrupted legitimate processes get reined in or stopped altogether -- like my recommendation of not allowing non-admin users to install software without management approval. As companies grow more valuable, they are
willing to accept higher levels of default security as measured against legitimate needs.
In my experience, most companies’ position on computer security goes through a series of evolving steps that I can only equate
to Maslow’s Hierarchy of Needs from basic safety to self-actualization. All IT processes go through this sort of trending, truth be told.
A related example is how a company ends up forming a help desk team. When the company is small, it has just one IT person.
As it grows, another person or two is added. Usually at this stage, employees know to contact the first IT guy (the IT manager),
who triages the call and assigns it to a team member. As the company grows, more IT employees join the department.
Pretty soon, the company’s employees have each of the IT members' personal cell phone numbers (used to be pagers) and call
them at will. Each IT employee is running off here and there based upon the whims of the employees, with little thought to
efficiency.
Eventually, somebody figures that all the incoming calls should go to a common number so a triage decision can be made, and
a centralized help desk is born. A little thought and planning ends up saving the company time and money, and makes the help
function more efficient.
The same thing happens in computer security. Some companies, like a law office I visited last week, don’t have a clue. They
are running a workgroup network full of Windows 95 computers with no log-ons, no anti-virus, no patches, and no firewall.
Clearly a disaster already in progress.
But to be frank, that company and others like it aren’t ready to listen to my spiel about all the current security risks and
how I’m going to make their network perfect. It was all I could do to convince them that it would be nice if a law office
holding lots of confidential client information required log-ons to get access to internal data and installed an Internet
firewall.
And that's where Grimes’ Hierarchy of Security Needs comes into play. Whenever I enter a company for the first time, I quickly
try to measure its computer security maturity. Often I can do this in a few minutes. Mentally, I’ve classified them into five
stages, much like Maslow’s Hierarchy of Needs, based on their approach to security.
Stage one
In Stage One, no one thinks about computer security at all. Passwords are short and shared log-ons are common, no firewalls
are installed, and the only anti-virus software they have came preinstalled on some new machines (and hasn’t been updated
since). Nothing is encrypted or authenticated. Infected and compromised machines are so common that most employees keep using
them even when they know they have problems.
Eventually the e-mail worm outbreaks come back-to-back, compromised systems are discovered, and machines are constantly down
or slow because of malware attacks. One day a big security event happens, a client or management gets really upset, and both
IT and management wake up to the problem.
Stage two
In Stage Two, management and IT agree to get more serious about computer security. Anti-virus software is purchased for e-mail
servers or installed on user desktops. A network firewall is installed (but with an allow-by-default rule set), password lengths
increase, and end-users are educated about the most common threats. An existing employee is told they are in charge of security,
but in reality they have little to no authority and their major job task is assigning and removing passwords to multiple systems.
Management thinks it has addressed the problem. Worm and spyware outbreaks happen less often, but the entire system still
goes down a few times a year. If a major worm or virus gets announced in the media, it always hits the company badly. Another
major security event happens, just as bad as the first one. Things aren’t fine.
Stage three
This is the first step into what I think is a real security environment. A real security officer, with a security certification
or training, is hired or created. All employees sign an acceptable use policy when they are hired, and passwords get longer
and are required to be changed at least twice a year. There's a focus on automating computer security. Anti-virus software
is installed on all desktops and automatically updated from location-specific servers, patch management software is utilized,
and additional scanning programs to find malicious software are set up.
Viruses and spyware are finally under control. External threats are minimized. Then an employee is caught hacking the system
and an IT manager is caught reading management’s e-mails. Internal threats become a very real problem.
Stage four
Management tells HR and IT to work on computer security policy, and to penalize employees who fail to follow proper guidelines.
Some sort of industry guideline or legal compliance legislation (HIPAA, SOX, GBL, and others) kicks in, adding to company security policy. Passwords are complex and changed once a quarter.
Dangerous e-mail attachments are blocked at the gateway.
External consultants are frequently hired. IT is interested in buying IDS, IPS, and other cutting edge technologies that promise
the world but always under-deliver. The security team is actually brought in at the beginning of projects, and software developers
are trained in secure coding.
Security is being considered by all members of the IT team, and management fully backs the IT manager and the security officer
on all major decisions. The oversight audit team works in conjunction with IT security to perform internal audits and prepare
for external assessments.
Still, some security events happen. Some employees are still opening every file attachment no matter how many times you educate
them. Eventually, a confidential database is breached from the outside, and tracked to a compromised internal employee’s computer.
All they did was install the latest cool thing off the Internet.
Stage five
Self-actualization. The security team and management finally understand that allow-by-default and deny-by-exception policies
will never work. Strict computer policies are enacted, end-user desktops locked down, and deny-by-default polices implemented
everywhere. Corporate computer images are the only ones allowed on the network. Employees caught trying to circumvent security
policy are fired.
Patches are thoroughly tested and deployed according to a criticality rating. Vendor software must meet certain security requirements
before it can even be considered for purchase. All confidential data is encrypted by default. Laptops and PDAs must have bootup
passwords and data encryption. Authentication is built into corporate logons, e-mail, and physical security.
Finally, both internal and external threats are minimized or nonexistent. The latest computer threat is only read about, not
experienced.
The scenarios and steps in each stage of the Grimes’ Hierarchy of Security Needs are only examples. The main point is that
all companies have some level of security maturity. All start from the beginning and move on to stricter phases, requiring
more control and less freedom; internal and external influences drive the process. Where is your company?
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
