I've been working hard at work. And I've neglected this blog. It started off with a bang and now it is fizzling. So, here is a tidbit I came up with a while ago.
This may be obvious to some and hopefully it will be obvious once you have read the post but it when I came up with this idea it took a lot of thinking and a lot of convincing to all around me that this is how it works.
Please note that this does not necissarily represent the company I work for, the company I am contracted to or any other company living or dead blah blah blah. Its hopefully applicable to ALL businesses.
Lets begin.. businesses sell stuff. They either sell services or products but with nothing to sell they are not really all that useful, ask Enron.
Traditionally there have been two camps of people in businesses - users of information and the guys who make sure that the information gets to where it needs to be. You could call them "Business Decision Makers" and "IT".
Business Decision Makers could be anyone in the company from the CEO to the receptionist, etc
In terms of the CEO think "how many widgets did we sell this week?" For the receptionist it is "What is Jack from Accounts number so I can put this call through".
I call these people "Those that do not know" because they have no idea how the magic happens - they just need it to happen. And if it doesn't - there are problems. Note that IT could fall into this category as they use information but their main job is to make sure that the information gets to where it should be - and they should know how to get it where it is.
Next is IT. Their contract with Business is an SLA or a KPI. The main part the contract in both the IT department's mind and Business's mind is the "Availability" part. Downtime will be "8 seconds every 7 months" or such. Security is tucked in the contract but it is way down at the bottom and usually doesn't have an SLA. Or a realistic SLA anyhow. "IT will keep all patches up to date".
Traditionally security has been seen as an IT function. But try do something that may make the organisation more secure but at the same time will require down-time or could result in unscheduled downtime. You will be hit on the head with the contract and be shown the SLAs. I call the guys in IT from the CIO down all the way to the guy who fixes PCs "Those that do not care". Its not really that they don't care about security as such, they just have bigger fish to fry - their SLAs. Talking about the guy fixing PCs, if he has to choose between setting the CEO's password to something hard to guess or "Password1" which do you think he'll choose? He'll want to get the old man off his back and working again - Availability.
So, we have the two camps "TTDNK" and "TTDNC". Where does Information Security sit? Well, we sit in the middle. And its not a comfortable place to sit. Essentially what we sell (Confidentiality, Integrity and, the big one, Availability) is something that Business does want. They just don't know that their data may be at risk of having one of these taken away. We have to show them that. We also have to show them that by ignoring the C and I, they are at risk and they are the ones that will be left responsible. We also need to work with IT and show them that they can make the C and I work without too much extra on their plates. And with both sides we need to review SLAs that don't allow for things like patching.
Extending this to everyday activities - if a patch comes out for a piece of software. Business should be doing business stuff - not thinking about patches. They should be blissfully unaware of the risk of not patching. IT will be concerned with Availability and will want not to install the patch. Information Security has to sit in the middle and show each camp why the patch must be applied, each in their own language and get it done.