I've not yet come across an organisation that doesn't have some kind of group that focuses on IT Security. And, frankly, its hard to imagine any organisation that could get by without one, either.
But am I the only person who wonders whether the cost to remediate IT security issues is actually worth it?
Apparently, there are very few IT security people who ask that question. I was at this event the other day, and I was talking to a security person, someone quite senior. During the course of the conversation, I was informed that the strategy was to remediate every potential vulnerability, no matter how small and how theoretical. When I asked him how he paid for all this, he told me that finding the money wasn't his problem. Going on further, he said that when he issued a security directive, he expected it to be followed, and if it wasn't able to be, the workstream or project got closed down.
I shut my mouth at this point, knowing I was speaking with that most invidious of creatures, the professional security specialist. You know the type: they spend all their days dreaming up the reasons you can't do something, rather than helping you find out how you can. Theirs is the right to kill any change for any reason, so long as it is related to a "potential security issue".
The lack of business-centred thinking amongst security specialist is endemic in financial services.
Let us, for example, force employees to have multiple logins that change all the time. It is so very easy to write a policy and implement technology that enforces various levels of password rules, but it isn't so simple to find the money to pay for the helpdesk calls that result from escalating numbers of password resets.
In one bank I know, the response to this was to implement a complex automated system for self-service password unblock. Wouldn't business centred thinking have suggested that a better way would be to relax the password change rules? Since when is a password the only control on business systems anyway?
Anyway, the cost of all those passwords was shown to be way, way higher than the potential costs of any reasonable incident. Didn't matter to the security people involved though, because they were security professionals. Remediating threats was their business. Finding the money to do so wasn't.
Now, obviously, it is impossible to remediate every single potential threat to any large organisation running IT systems. And quite clearly, some threats are larger than others. The problem, of course, is working out which matter and which don't. Spending millions extra on a helpdesk to reset passwords for systems that have multiple lines of defence is clearly somewhat less urgent that dealing with the latest internet banking threat vector.
Security people, for the most part, don't care because they don't have to justify the financial consequences of what they do.
But what would the effect on an organisation be if the security folk had money? And if they were accountable for paying for remediations they decided they had to have?
I bet the first thing that would go would be the self-service password reset system, and the millions extra on helpdesk calls. Objective assessment of those costs in the light of financial constraints would make both an expensive luxury.
I suspect there are already forward thinking organisations that have worked out that the business case for IT security often doesn't stack up. And I rather hope that I'll be meeting fewer professional security people in the future. Instead, I'll be meeting business people who know security, and will be trying to add up the numbers for what they do.
I am certain, when that day comes, we will not only have more agility in IT, we'll also have a much smaller security bill.
And no increase in incidents either, since all that will be remediated are those issues that matter.
Bankervision. I feel your pain. I recently consulted to a retail organisation similar to say, ASDA in Australia. This organisation, don't currently allow staff access to most online services. Including, twitter, facebook, youtube, hotmail, gmail, etc. When I asked why, I was expecting, time wasting, producitvity based responses. But what was I told... "due to security risks". I said, waht about doing my job, and being connected to our customers risks? I got that dreaded look, you know the one... why are you being difficult? So, I brough my PC and the 3G and had full access. Pretty soon, all the satff found out, and would come to my desk to 'borrow' my pc. Ridiculous!!
Posted by: Confused... | July 29, 2009 at 08:51 AM
I'd like to think most security experts understand that security is finding the balance between costs and risks, but you're probably right that many do not and instead think of security in absolutes rather than risk management. A well-regarded security expert who does understand this, and has written several book on the subject, is Bruce Schneier - his books are definitely worth a read if you're looking for a pragmatic approach to security:
Beyond Fear, ISBN 0-387-02620-7
Secrets and Lies, ISBN 0-471-25311-1
Posted by: Bart | July 29, 2009 at 09:49 AM
I'm no security expert, but I can sympathize with them.
The IT people are in a tight spot. The decent ones understand the business perspective you are coming from. But they also view the entire "system" as one big castle that needs a consistently deep moat. And this is probably correct.
Consider Twitter's recent woes. An employee made some very common mistakes (reused passwords, let an old contact address expire) and opened the entire system to a hacker. Eventually, this led to Twitter's intimate secrets getting publicized across the net.
Imagine this happening at your bank.
Does security consciousness deaden innovation? Certainly. But the risks are huge. Maybe a partial answer is to experiment outside the moat with fake data and only bear the costs of security hardening for truly outstanding projects.
Posted by: Mik | July 29, 2009 at 11:02 AM
I have a feeling that someone will be finding all his passwords no longer work today. A great post that I would love to show to some people here...not brave enough though as I like being able to logon to my work PC everyday ;)
Posted by: Aden Davies | July 29, 2009 at 01:11 PM
Speaking as someone who's done time in banking and insurance, this is embarrassing news. I'm used to management demanding ROI figures where ROI is hard to measure; IT security is one investment where you can quantify the cost of a failure, but they're not expected to quantify the value they deliver? Mamma Mia...
Worst of all is the mindset espoused (in the comments above) by Mik. A "big castle that needs a consistently deep moat" is a flawed, out of date security strategy that assumes everything inside the bank is trustworthy and safe, and everything outside is dirty and dangerous. The problem being, as The Twitter attack showed, that an enemy only needs to crack one trustworthy account, and the moat has been crossed.
My preferred solution? To treat IT security the way we treat building security; integrate it into the design. You wouldn't let a team of nightclub bouncers disrupt your branches, after all. And I will never work on a security related project without asking the sponsors to read Ross Anderson's "Why Information Security is Hard - An Economic Perspective".
Posted by: Gordon Rae | July 29, 2009 at 01:28 PM
Insightful post James. You have just discussed the "elephant in the living room" and it should be done more often. Uninformed management teams leave tactical decisions like security to "gurus" and the stream of funds, while not endless, is substantial often compared to budgets for other groups or initiatives. The current security flavor of the year, PCI in the payment industry, has a clear goal with nebulous practices to be successful but it has fines from Visa and Mastercard that are really subjective at best. IMHO, education and prudent security/IT policies are the answer for organizations that have security as a high priority due to the sensitivity of their (or clients) data. I'll end with food for though for you - what is the ROI on email ;-)
Posted by: Joe Young | July 30, 2009 at 11:22 AM
"During the course of the conversation, I was informed that the strategy was to remediate every potential vulnerability,"
At a personal level, that would be my strategy too if I was doing his job because of the asymmetric reward structure. If there's a breach, he gets fired. Hence he wants to close any possible vulnerability, which is rational from his perspective even if, as you point out, it may not make business sense.
Posted by: Dave Birch | August 04, 2009 at 08:59 AM
I look your article really inspire me. Maybe by combining yours and my ideas I will manage to start some serious work on my business blog.
Posted by: business journey | March 14, 2010 at 10:56 PM