Let s Not Go There

Let's Not Go There…

The force behind a brilliant idea can encourage the tiniest bud to blossom into a billion-dollar-a-year industry (like ISD) almost overnight. But, like the snow crocus, a fast bloomer can wilt and die quickly as well. Things can spin out of control, especially when a company breeds a false commitment to security. ISD was lucky this time. Don't bet your company's future on luck. This section discusses what ISD should have done.

Commit to Security from the Top Down

Every company has its own culture when it comes to security. That's why what's good for one company is not necessarily good for another. Each company should understand what it wants from security and then practice it from the top down. Management cannot be excluded.

When executive management does not place value on security or take responsibility for security (as if it were someone else's job), that sends a message to the people at the line level that management does not really care. In response, line-level people often lose interest in security as well. That's a risky message to send!

Don't Delegate Security

All too often, managers seem to rule from on high with little or no contact with the masses. When that happens, security suffers. This scenario illustrates the types of problems that can occur when security mandates are dictated from above.

Simply voicing the importance of security is not enough. Virtually everyone knows that computer security is an important issue. Unfortunately, they usually think that it's an important issue for somebody else.

Remember that we are all responsible for the security and the safety of our data. That includes the highest executive, as well as the lowest technician.

Keep Levels of Management to a Minimum

When too many levels are involved in security, security messages can be misinterpreted, misunderstood, or simply lost. If you are an executive manager and you have no idea which manager is in charge of security for your company, take a long hard look at your chain of command. Too many links can weaken even the strongest chain (Figure 3-1).

If you're a link at the end of the chain, make sure you know exactly who it is that wants you to complete a given task. Keep in mind here that "management" is a concept, and not a person's name. You can't very well report back to a concept if you run into implementation or operational problems.

Report Back to Executive Management

I recently met with a CIO of a large manufacturing company to talk about security. She wanted to know how she could tell if her network was at risk. I asked her the following questions:

The CIO answered "No" to every question. She also wasn't sure whether or not her firm had ever conducted a security audit. She was wondering whether she needed to hire a security consultant. I told her to ask her line management to conduct a security audit and provide her with a one-page executive summary within 30 days. "If your team can't conduct a security audit or provide you with an executive security summary, you definitely need outside help," was my answer.

System administrators, and anyone else likely to be blamed for security problems, should make it a point to provide executive-level security summaries on a regular basis (Figure 3-2). Ideally, the reports will prompt management to approve funding, increase head count, provide training, or supply whatever else you need to fix the problems. In the worst case, you've got written reports to cover your posterior.

Even when the result of a security audit is good no major security risks management still needs to receive an executive summary. As I noted earlier (many times!), security problems aren't always apparent to the naked eye. It isn't usually obvious when a problem has been fixed. That's another reason why executive managers should request a concise (one-page) executive-level security summary on a regular basis.

Set Security as a Corporate Goal

You may have trouble maintaining security because everyone is too busy trying to reach other goals. If you have problems maintaining security in your company, consider adding security as a goal for every level of management.

Provide or Take Training as Required

For security to work, everyone needs to know the basic rules. Once they know the rules, it doesn't hurt to prompt them to follow those rules. Use e-mail to send regular reminders about the importance of information protection, password maintenance, system security, and so on. If you or your employees haven't participated in training on basic security precautions, do it or see that it's done.

Ideally, your company should already have people who know enough about security to design and run basic training sessions on their own. If they don't, take the time to arrange for external training.

Now, before you say, "We don't have time for that sort of thing," think creatively. Training doesn't have to be cumbersome or excessively time consuming. Some firms use prerecorded videos to fit into employee downtime or even offer individualized email classes. Training doesn't have to mean 30 little desks lined up in orderly rows. Pick a method that works for your company.

Make Sure That All Managers Understand Security

It is especially important that all members of management understand the risks associated with unsecured systems; otherwise, management choices may unwittingly jeopardize the company's reputation, proprietary information, and financial results. I'm not saying that you need to be a security expert, but you should understand the basics and get the lingo down.

Communicate to Management Clearly

Too often, system administrators complain to their terminals instead of their supervisors. Other times, system administrators find that complaining to their supervisors is remarkably like complaining to their terminals.

If you're a supervisor (or other manager), make sure that your people have easy access to your time and attention. When security issues come up, pay attention! The first line of defense for your network is strong communication with the people behind your machines.

If you're a system administrator, make sure that talking to your immediate supervisor fixes the problem. If it doesn't, you should be confident enough to reach higher in the management chain for results.

Checklist

Use this checklist to determine whether your company's organization and management levels allow security concerns to be addressed adequately. Can you mark a "Yes" beside each item?

___ Are executive-level security summaries produced regularly?

___ Does a clear communication path exist from the top level of management to the line-level workers? And more importantly does everyone know what or where that communication path is?

___ Does responsibility for security rest with a Vice President, Director of Security, or other member of management? The higher up in management the responsible party is, the better! Make sure that the manager responsible for security isn't buried deep within the organization, and has the authority to act. Otherwise, he or she will be just a scapegoat.

___ Has management demonstrated that it is committed to the company's security program by appropriately presenting and enforcing it?

___ Has adequate funding for security been allocated and made available?

___ Do all system administrators understand the importance of reporting and resolving security issues quickly?

___ Is security awareness training provided as part of the standard orientation for new employees at all levels line-level and upper management?

___ Have steps been taken to ensure that all employees (from the top down) are aware of the company's information-protection policies?

___ Were the realities of the company's culture (in terms of management/worker relationships) considered when the security policies and procedures were developed?

___ Do employees know whom to call for help when a security breach occurs or when they don't understand their roles?

___ Are security audits conducted on a regular basis?