Most security solutions are a trade-off of ease-of-use versus security. As computer security measures grow in importance, previously uninterrupted legitimate processes get reined in or stopped altogether -- like my recommendation of not allowing non-admin users to install software without management approval. As companies grow more valuable, they are willing to accept higher levels of default security as measured against legitimate needs.
In my experience, most companies’ position on computer security goes through a series of evolving steps that I can only equate to Maslow’s Hierarchy of Needs from basic safety to self-actualization. All IT processes go through this sort of trending, truth be told.
A related example is how a company ends up forming a help desk team. When the company is small, it has just one IT person. As it grows, another person or two is added. Usually at this stage, employees know to contact the first IT guy (the IT manager), who triages the call and assigns it to a team member. As the company grows, more IT employees join the department.
Pretty soon, the company’s employees have each of the IT members' personal cell phone numbers (used to be pagers) and call them at will. Each IT employee is running off here and there based upon the whims of the employees, with little thought to efficiency.
Eventually, somebody figures that all the incoming calls should go to a common number so a triage decision can be made, and a centralized help desk is born. A little thought and planning ends up saving the company time and money, and makes the help function more efficient.
The same thing happens in computer security. Some companies, like a law office I visited last week, don’t have a clue. They are running a workgroup network full of Windows 95 computers with no log-ons, no anti-virus, no patches, and no firewall. Clearly a disaster already in progress.
But to be frank, that company and others like it aren’t ready to listen to my spiel about all the current security risks and how I’m going to make their network perfect. It was all I could do to convince them that it would be nice if a law office holding lots of confidential client information required log-ons to get access to internal data and installed an Internet firewall.
And that's where Grimes’ Hierarchy of Security Needs comes into play. Whenever I enter a company for the first time, I quickly try to measure its computer security maturity. Often I can do this in a few minutes. Mentally, I’ve classified them into five stages, much like Maslow’s Hierarchy of Needs, based on their approach to security.
In Stage One, no one thinks about computer security at all. Passwords are short and shared log-ons are common, no firewalls are installed, and the only anti-virus software they have came preinstalled on some new machines (and hasn’t been updated since). Nothing is encrypted or authenticated. Infected and compromised machines are so common that most employees keep using them even when they know they have problems.
Eventually the e-mail worm outbreaks come back-to-back, compromised systems are discovered, and machines are constantly down or slow because of malware attacks. One day a big security event happens, a client or management gets really upset, and both IT and management wake up to the problem.
In Stage Two, management and IT agree to get more serious about computer security. Anti-virus software is purchased for e-mail servers or installed on user desktops. A network firewall is installed (but with an allow-by-default rule set), password lengths increase, and end-users are educated about the most common threats. An existing employee is told they are in charge of security, but in reality they have little to no authority and their major job task is assigning and removing passwords to multiple systems.
Management thinks it has addressed the problem. Worm and spyware outbreaks happen less often, but the entire system still goes down a few times a year. If a major worm or virus gets announced in the media, it always hits the company badly. Another major security event happens, just as bad as the first one. Things aren’t fine.
This is the first step into what I think is a real security environment. A real security officer, with a security certification or training, is hired or created. All employees sign an acceptable use policy when they are hired, and passwords get longer and are required to be changed at least twice a year. There's a focus on automating computer security. Anti-virus software is installed on all desktops and automatically updated from location-specific servers, patch management software is utilized, and additional scanning programs to find malicious software are set up.
Viruses and spyware are finally under control. External threats are minimized. Then an employee is caught hacking the system and an IT manager is caught reading management’s e-mails. Internal threats become a very real problem.
Management tells HR and IT to work on computer security policy, and to penalize employees who fail to follow proper guidelines. Some sort of industry guideline or legal compliance legislation (HIPAA, SOX, GBL, and others) kicks in, adding to company security policy. Passwords are complex and changed once a quarter. Dangerous e-mail attachments are blocked at the gateway.
External consultants are frequently hired. IT is interested in buying IDS, IPS, and other cutting edge technologies that promise the world but always under-deliver. The security team is actually brought in at the beginning of projects, and software developers are trained in secure coding.
Security is being considered by all members of the IT team, and management fully backs the IT manager and the security officer on all major decisions. The oversight audit team works in conjunction with IT security to perform internal audits and prepare for external assessments.
Still, some security events happen. Some employees are still opening every file attachment no matter how many times you educate them. Eventually, a confidential database is breached from the outside, and tracked to a compromised internal employee’s computer. All they did was install the latest cool thing off the Internet.
Self-actualization. The security team and management finally understand that allow-by-default and deny-by-exception policies will never work. Strict computer policies are enacted, end-user desktops locked down, and deny-by-default polices implemented everywhere. Corporate computer images are the only ones allowed on the network. Employees caught trying to circumvent security policy are fired.
Patches are thoroughly tested and deployed according to a criticality rating. Vendor software must meet certain security requirements before it can even be considered for purchase. All confidential data is encrypted by default. Laptops and PDAs must have bootup passwords and data encryption. Authentication is built into corporate logons, e-mail, and physical security.
Finally, both internal and external threats are minimized or nonexistent. The latest computer threat is only read about, not experienced.
The scenarios and steps in each stage of the Grimes’ Hierarchy of Security Needs are only examples. The main point is that all companies have some level of security maturity. All start from the beginning and move on to stricter phases, requiring more control and less freedom; internal and external influences drive the process. Where is your company?