Security is a �process� and not any kind of a tool but I�m certain we all
understand this.
Regulations, testing, tools et al only serve to support said process. But even
the process falls short of �effective security� simply because you�re still
dealing with the weakest link in the entire chain � you!
Yes You! The human element, the weakest link, the person who will ultimately
make a mistake that either singularly or in aggregate could bring risk to the
security �process� your practice. The human element is often THE root cause of
weakness within any organization. You can't fix stupid.
How many of you have ever left the door to your house or car unlocked? The
control was there but YOU made the mistake.
Other examples:
- Firewall logs are only as valuable as the person who is reviewing them. But
does that person really understand what they�re looking at?
- Intrusion detection is only as effective as the individual crafting the rules
and how well he/she understands the environment they hope to protect. But has
he/she turned off certain alarms because they kept generating presumed false
positives?
- The internal network is only secure from intrusion if you have a total
understanding of all possible points of entry. What about physical security
over the data closet in that remote plant you never go out to visit?
- The policies you preach only have teeth if you enforce them. How many IT
folks bypass Internet filters or proxy servers because it interferes with sites
they need to surf? For work of course!
- Audit reports seldom produce measurable results because often the auditors
(who have only been onsite for 2 weeks) have no clue about what they�re
auditing much less the tools they�ve ran or the work plans they�re following.
Not always the case but more the rule than the exception.
In essence, we�re left with training, awareness, and communication efforts that
seldom get attention. That�s too much like �training� and who has time for it
much less the budget? Oh but SOX, HIPAA, PCI etc are devouring budget and
attention these days. And while I agree with needing 'key controls' for
effective security, common sense has left the stage. The very regulations that
were created due to poor auditing practices are now being leveraged to increase
billable hours. I digress.
If the culture of any organization believes security to be a �non-issue� then
it certainly will remain that way. Tone at the top is paramount.
To abuse an old adage; it�s the people stupid! Spend all you want but if your
people are not properly trained, on a continuous basis, know their
roles/responsibilities, and understand current/emerging threats to the
organization then you�ve gained little. Tools, policies, procedures and audits
will not save you. The culmination of process plus people is what produces
�effective� but not �total� security. Changing any culture to reflect this is
difficult at best.
Steve Knight CISA, CISSP
