In virtually all aspects of life, individual perceptions mean no two people see things in exactly the same way. Perception is like that old team-building exercise, where you tell a story to someone in the group and he tells someone else, and she tells someone else, and so on, until the last person retells the story ”inevitably, the story changes as it goes from person to person, and the retelling is never the same as the original.
Perception contributes to an individual s expectations. Your perception is your filter on reality. The old expression perception is reality is true. It doesn t really matter what actually occurred; what matters is what people perceive occurred. On the other hand, expectation is what you think will happen. This is where perception and expectation cause problems with security and technology in general. Two people or groups of people undertake a technical project with a different expectation of what the effort and end result should be. This virtually ensures that at least someone is going to be disappointed by the end result, because it likely is not going to be what he or she expected. The perception then has the potential to be technology and IT failed.
You can address this, however, by looking at how properly to set the perceptions and expectations of all the people involved, so that everyone shares a common perception and expectation of what will be accomplishing by hardening your network infrastructure.
Your users are one of the most important groups to set perceptions and expectations with. A user is anyone who is going to be using the technologies and systems that you are implementing. While it can be somewhat entertaining to look upon our users and think what do they really matter, they are just users after all, the truth of the matter is that the whole existence of technology and by extension security is based on supporting the users needs.
For example, let s say you decide that it is time to implement a content filtering system. The technical goals of this project are to help reduce malicious content from entering your network as well as to prevent access to websites with questionable content that could expose the company to litigation. Your perception, then, is that this will be a good investment in technology, and the expectation is that your network will be more secure as a result of implementing the new system. Your users may look at this same situation from a completely different perspective. Their perception might be that IT is trying to monitor what they are doing in a sort of Orwellian fashion ”Big Brother, if you will. Their expectation, then, is that this project will merely make their lives more difficult by preventing them from accessing websites of content they might want or think they need. Whether or not this occurs, the users perception and expectations have already been molded. Your responsibility is to make sure that you adjust the users expectations to be more in line with reality. This is turn will contribute to a different and better perception on the part of the users. The end result is that your job will become easier and your users will start trusting you, especially if you accurately deliver based on their new expectations.
Technology evolved not so that we would have cool things to mess with, but so that those users could be more effective in performing their jobs and businesses could run more effectively. The goal never was and never should be to make the user a technical expert. The goal is to make that user better at his or her job. You want your sales force to be able to sell more. You want your accountants to be able to manage the cash flow more effectively. You want your engineers to be able to design more.
This is a key point to understand, because many users do not comprehend what it means to be more secure. Sure, they understand it in general terms, but they don t know what that really means to them. They don t understand what impact it will have on their daily routines, and that lack of understanding often leads to fear. This is all human nature. People routinely fear things when they don t understand how it will affect them. For example, if your users get told that IT is monitoring the network, they may get the impression that IT is monitoring them. It goes right back to that perception that IT is on some Big Brother mission to know what every user is doing every minute of the day. You can then adjust what your users perceive and expect by providing them more information about what monitoring the network means. Perhaps you are merely trying to monitor the bandwidth utilization on some network segments. Let your users know that so that they understand exactly what you mean by monitoring the network. Your responsibility is to set the users expectations on security so that they understand what security means to them and, more important, how it will affect them.
You can do five things to help set your users perceptions and expectations:
Eliminate user fear.
Earn your users trust.
Communicate with your users.
Find champions .
Fear, uncertainty, and doubt (FUD) can undermine just about anything, including an attempt to harden your network. FUD creates an environment of fear and uncertainty in your user community due in large part to confusion, misunderstanding, and rumors about the goal of network security. While FUD can be a powerful factor in contributing to the failure of a hardening project, the good news is that FUD can easily be countered through a strategy of education and communication.
One method of eliminating FUD with your users is to set the appropriate perception of your users. Unfortunately, many people look at network security with a Big Brother type of fear. This often comes from a mistaken perception that increased security and reduced privacy are the same thing. They are worried that someone is watching them, just waiting for them to slip up and view that personal e-mail or go to that non-work- related web site. Make sure your users understand that this is not the goal or objective. While you certainly may be and should be tracking your users online activities, and they need to know that you are doing this, you need to make sure that they understand why you are doing this. For example, let s say that you run reports that show who is visiting online employment web sites. The knee-jerk reaction on the part of the users when they discover this might be that you are trying to monitor whether they are looking for other employment so that the company can fire them or give them bad references. In fact, you might be monitoring this solely for use by human resources so that they can determine whether a morale problem needs to be addressed. In an example like this, it is important to set the users perception accordingly . Let them know that in this case there are no adverse consequences related to their online activities. This can often be handled through the use of an acceptable use policy that stipulates what kind of Internet access is acceptable.
An often overlooked aspect of setting user perception is the need to gain the trust of your users. This because, much as we may have our preconceptions about users, users have their preconceptions about us. Many users have had that fateful run-in with someone in IT when they were made to feel stupid by virtue of how they were talked to or treated. While the user may or may not have been justified in feeling that way, all that matters is the perception of that user. As long as he believe that he was talked down to, then he was. As a result of these kinds of interactions, many users view IT as a bunch of snobby geeks who can barely be tolerated, much less trusted.
This general lack of respect undermines trust, but it is not the only reason that a lack of trust exists. Things like the network being down frequently or a slow/lack of response from the help desk, or even a response from the help desk that doesn t help ” all contribute to the lack of trust by causing your users to lose faith in the abilities of IT.
You have to overcome this lack of trust if you want to be successful at hardening your network. If your users trust you, they will work with you. If they don t, they will work against you. The easiest method to earn their trust is simply to talk to them, treat your users as equals, and mitigate any feeling of threat. Make sure that they understand and believe that you are here to support their needs, not to spy on them or tell their boss if they make a mistake. If you show your users respect, they will return it in kind. That will earn their trust, making it much easier for you to get them to make the changes necessary to make your network more secure.
By far the best method to set your users perceptions and expectations is to communicate effectively with them. You can shape and mold what a user perceives by telling her what is going on. At the same time, you need to use some caution. Too much information can be a bad thing, especially if the users do not understand the information you are providing.
I worked at a company that had two managers who required a dramatically different level of communication when we made network changes. One manager really needed to know the gritty details of what we were doing. Anything less than that left the manager very uncomfortable, which often translated into difficulty in getting him to sign off on making changes. The other manager wanted to know none of the technical details. If you could provide an analogy that he would understand, then great. Otherwise, we could simply tell him that we were making things better, and he was happy. Identify the level of communication required for each group of users you have to deal with, and attempt to find common communication levels that you can use across your environment.
Some methods of communication that can help you set the perceptions of your users are listed here:
Build a newsletter of tips and tricks that is distributed via e-mail or intranet. If your users know of more secure methods to perform tasks , they will often use them.
Be willing to explain why. No one likes being told to do something without being given an explanation. You can address this before it is an issue by making it a point to always answer the question why without your users needing to ask it.
Explain the benefits and drawbacks of the security measure or practice. The key here is making sure the users know what to expect in advance. You have to address the benefits and the drawbacks, however, especially if the users can no longer do the things they used to be able to do. It is important not to gloss over the drawbacks or you will lose user trust.
Ensure that all communications are phrased and presented as if between equals. Make sure that you don t inadvertently speak down to your users.
Communicate with your users on a schedule other than when it hits the fan. You want to make sure that your users do not begin to see you as the bearer of bad news. Make sure that you are the periodic bearer of good news as well. For example, if you are able to prevent a new virus or worm from affecting the company, take the time to send a notice to the users commending them for adhering to your e-mail or virus protection security policies.
Get and keep your users involved in the process. Make all your users a part of the security process, not just those who are most affected by the security process. The more involved your users, the more aware they will be. You can do this through the use of regular lunch and learns and scheduling training sessions on new products and technologies with which the users will be frequently interacting.
Lunch and learns can be about topics other than just work-related tasks. Eric, the technical editor of this book, has hosted some lunch and learns on how to buy a new PC, and comparing and explaining DSL to cable modem and dial-up Internet access. While the lunch and learns didn't really relate to work, the users liked them, and it allowed some of the users to get to know some of the technical people a little better, and in a positive light. Be creative when coming up with lunch and learn topics.
In my younger days, I had a mentor who one time told me Wes, you fight too many battles. You need to learn how to let other people fight some of your battles . In the days of old, the king wouldn t always compete in the joust. Sometimes he would find his best knight and sent him out to fight on his behalf . This was because the king recognized that the knight stood a better chance at winning than he did. The reasons for finding champions today have not changed.
The best knights were chosen as champions and were often greatly rewarded for their services. You need to make sure that when you find your IT champion you continue that policy. Make sure that she gets the recognition that she requires with the people that matter. This in turn will make her much more willing to work with you in the future, because she knows that she will personally receive a reward for her actions.
In many cases, IT is an outsider in an organization. IT isn t a part of HR or accounting. So often when IT makes recommendations to other organizations, they are viewed as trying to come in and change things without understanding the organization. This can make your security steps more complex because you must first overcome that perception before you can begin the actual hardening process. For example, if you want to implement a firewall between the accounting resources and the rest of the company, it may require your changing how accounting accesses the network or what resources they have access to. This might be necessary in order to secure the accounting resources effectively. If this means that the accounting folks can no longer access something that was not required for their job but they frequently accessed anyway, you can almost bet money that the change is not going to be well received. To eliminate this issue, attempt to find a champion who can fight on your behalf. Try to identify the people who have bought into your message and who want to see the changes happen. Then empower those people to convince the rest of the organization that what you are trying to do is a good thing. Let them convince the accounting folks that the benefits of the more secure operating environment will ultimately benefit everyone in the long run.
We have all run across the secretary who has been with the company longer than anyone else, and we will follow that person in any decision. Focus on that secretary and have him lead the rest of the group in the direction necessary to secure your environment. Let s face it; your users may not trust you very much to begin with. But the secretaries do trust the executive secretary who has been there 20 years and says that this is a good thing to be doing. Let him become your champion.
One frequent question is, Who can I make my champion? While each environment will have unique characteristics, some common folks usually make good candidates for champions:
Executive secretaries/administrative assistants ƒIt is said that an army travels on its stomach. Well, a company works through its secretaries, and invariably they look to the executive secretaries for guidance.
Auditors ƒInternal or external auditors can be some of the best champions that you can find, because they bring with their recommendations an impartial perspective. You may fight for months to try to convince management to do something that an auditor needs to mention once to make happen.
Finance executives/management ƒFrom the CFO to a VP of finance, the people who control the money wield tremendous influence over what will or will not be done. Convince them that something makes financial sense and you have won half the battle.
People with tenure ƒThese are often the natural leaders of the organizations. They are the folks with the been there, done that t-shirts. People look to their experience as an indicator of whether something makes sense or not. If you can convince them, then like all good leaders they can convince their followers.
Be realistic in dealing with your users. It is not possible to prevent every security incident from occurring. You are going to have security failures. For example, you can implement the most stringent anti-virus measures, and you still may get hit by an e-mail virus that adversely affects your users. Be realistic when you approach your users, and make sure that they do not get the mistaken impression that if you implement some security measure, everything will be completely safe.
Your users need to be prepared for a security incident for two reasons. First, they must be ready to accept some temporary pain related to trying to correct a security incident. For example, if a worm is spreading via e-mail, users may need to be ready to live without e-mail while the e-mail system is being patched, and they need to understand the reason for this. Second, users have to be aware and on the lookout for suspicious activity. If they know that a possibility exists that a security incident may occur, they will be more alert to strange occurrences, phone calls, and e- mails and will be more likely to let someone know about it.
You must also set the perceptions and expectations of management. The reason for this is simple. If management does not buy off on what your are trying to do with respect to security, you will not be successful. If management does not support you, the first time someone important goes to management and says I don t want to do this because it makes my life difficult, management will cave in. The odds of a cave-in are directly related to the amount of revenue that person is responsible for. The key to setting the management perceptions and expectations is to make sure that management understands the goals and benefits of the security measures that you are taking so that managers are not swayed by influential people in the company.
As with your users, you should set management perceptions and expectations by doing the following:
Communicate with management.
Gain the trust of management.
Demonstrate the value proposition.
The most important task to undertake as part of your network infrastructure hardening process is to communicate with management. Why is this? Without management support, you will not succeed at hardening your network. Sure, you may be able to do certain things, but ultimately you will fail. You have to gain management support if you want to succeed.
The only way to gain upper management support is to communicate with them. Your goal here is different than it is with communicating with your users. In this case, you need to educate your management as to the repercussions of not securing your environment. You should not embellish the risk; you need to provide factual and accurate information to management so that they can make the decisions that must be made with the most information possible. Security costs money, as we will see in a moment when we look at some methods to justify the cost, and you have to be able to communicate the value that will result from the cost expenditure to management.
One item to be cautious about is not to inundate management with technical information. While some managers may want all of this information, in most cases they do not have the time to learn all of the technical details of a security implementation. A great method to eliminate this issue is to present all of your information to management in an executive summary format. Focus on the main points and communicate by sticking to answering the following:
Who ƒWho is affected by the change?
What ƒWhat is the change supposed to fix or prevent?
Why ƒWhy is the change necessary?
What if ƒWhat are the repercussions for not making the change?
For example, let s say that you want to implement an intrusion detection/prevention system between your firewall and your production network. In communicating the need for this device, you might build an executive summary as follows :
The implementation of an intrusion detection/protection system will affect all users in the organization, although it should be a transparent effect that is generally unnoticed. This device is recommended so that IT can gain a notification/prevention mechanism to alert IT to suspicious network traffic that needs to be evaluated and prevent said traffic in the case of an intrusion protection system. In addition, this device will provide a much better insight into the kind of traffic that is being passed between the internal network and the Internet. This device will allow IT to be more responsive to potentially threatening traffic as well as provide a measure of defense in preventing unauthorized traffic from entering the production network. As you may recall, we were infected by Code Red traffic through the VPN connections at the firewall. An intrusion prevention system could have prevented that from occurring at all, while an intrusion detection system could have provided an early warning, allowing us to respond much quicker to the threat and thereby reducing the impact and cost. If this device is not implemented, we will continue to remain more susceptible to unauthorized traffic entering the network without the knowledge of IT. This can lead in turn to more downtime and expense while we recover from a security incident.
While the above is a brief example of an executive summary, it sets the tone for the kind of communications you need to have with management.
A critical part of setting the perception and expectations of management is gaining the trust of management. If management trusts in your skills and advice, they are going to be far more willing to undertake the spending expenditures required to harden your network infrastructure properly. You will gain their trust by demonstrating the effectiveness of the solutions that you have implemented as well as by being honest and forthright with them. One of the most self-destructive things that you can do is attempt to hide information from management because the information may not be what management wants to see. Often this is done with the best of intentions. It is what I call protect the president syndrome. We have all seen it in the movies and TV, where someone doesn t give the president information because they think they are protecting him by not divulging the information. This never works in the movies, and it never works in real life. The odds are far greater that eventually the information will come to pass, and you will likely have lost whatever trust and confidence you had attained as a result.
One of the great debates in security is the question of security versus money. On one hand, you have folks who will argue that the cost of implementing a hardening measure is too expensive to do. On the other hand, you have folks who will argue that the cost of not implementing a hardening measure is too expensive not to do. The fact of the matter is sometimes each group is correct. In a perfect world, money would not be an issue when it comes to security. In our world, money is always the issue when it comes to security. Far too often, the cost of security will be paid only after an incident has occurred and management has realized the cost of not being protected. Our responsibility then is to be able to demonstrate not only the cost of implementing a security solution, but, more important, the potential cost of not implementing it. We will look at some of the methods of cost justification in the next section.
As you do with your users, you need to be realistic when dealing with management. You have to present realistic scenarios and realistic solutions at all times. This is critical in maintaining the trust of management. However, the most important statement that you can make to management is that even if they take all of the steps outlined in your security plan, you still may be vulnerable to an incident. Security is not an exact science, and in many cases the ability to mitigate a threat is based in large part on the ability to be informed of a threat and take countermeasures before it can infiltrate your organization. With a proper security plan, and if you undertake the recommendations in this series, you can mitigate most current and future threats; however, you cannot guarantee that you will mitigate all of them. Management has to understand this, and they have to accept this as one of the risks involved in doing business.