In the Virtue of Community Effort, there are two communities that affect and are affected by the security practices within an environment. These are what we call the inner community, which is made up of us, our end-users, and our executives, and the public, or outer community, which consists of the IT world outside of our perimeter boundaries. Each of these communities plays a very large role in the practice of security within an organization. The idea of security being a community effort cannot be overemphasized. It may not be obvious at first, but the majority of information security issues within systems and networks across the world come from other groups that have failed to participate in either of the security communities. Our Role in the Inner Security CommunitySecurity cannot be accomplished by security professionals alone. It would be quite impossible for us to widen our focus and watch for every security issue with every system, device, connection, and physical area in an entire environment. It is a fatal flaw I have seen over and over again that security administrators, managers, and chief information officer's (CIOs) desire to work independently of the "troublesome end-users." Involvement of the users is an essential component to the success of any good security practice. The end-users are our valuable allies, our eyes and ears, and indeed, our gatekeepers. Every desktop, phone line, and locked door that is put to use by an end-user is a virtual gateway into the kingdom. It is vital that these people remain on our side of the war. One of our most important roles of a security practitioner is to integrate the end-users into the local security practices. We must empower them to take active roles in the maintenance of security and inspire them to be allies in our cause. I discuss this in more detail later when we discuss education. For now, I will simply express that the end-users can be our best friends or indeed our greatest enemies, depending on how we decide to deal with them, and where and when we decide to include them. Our Role in the Outer Security CommunityMany times, the organization with good security practices is compromised by a lack of security from other organizations that have ineffective or nonexistent security practices. It is nearly impossible to trace good hackers because they operate through a long, winding trail of poorly secured systems and can rarely be traced back to a hideout. Remember those movies where the FBI agents run a phone trace back to the criminal, but it must first bounce through a chain of phone calls through 20 different countries before they find out that he or she is actually calling from a phone booth on the corner? Well, this spy movie tactic is all too real in cyberspace. Most systems that are compromised are simply used to launch other attacks against other systems within other organizations. The first thing a successful hacker will commonly do is usurp a group of poorly secured and "unimportant" systems to act as his or her minions for future attacks. And guess what? Each of these poorly secured systems was administered by someone who did not participate in the outer security community, and now it's becoming our problem because their systems are now attacking us. Our role in the outer security community is very simple: Keep ourselves safe so that others will be safe from us. It is not required that we go out of our way to ensure the safety of the rest of the world, but it is important and oftentimes motivating to understand that the security within our own environment echoes in the security of organizations across the world. Through the process of being conscious and aware of the security around us, we are much better equipped to handle the security issues within the local environment. Practicing This VirtueTo participate in security communities, we must first start with the realization that we are not alone, nor should we be. We must be willing to give and receive information with others, inside and outside the environment. This helps to solve local issues, and at the same time, has a profound impact on all security issues everywhere. The following simple steps will greatly benefit the security of all environments:
|