Get with IT

July 20, 2010
Security best practices without question?

Are you feeling insecure lately? No, not about yourself, but about your organization's competitive position in the marketplace? What about its ability to meet client and business partner obligations; or, its ability to stay out of the court system and on the good side of industry and government regulators? Well, if your organization is like most, it has problems - big problems - when it comes to protecting one of its most valuable assets: electronic information. Sensitive information on your computer systems is second in value just behind your organization's employee capital. So what are you to do? Fall in line and move along with the herd?

There are a lot of security tips out there that you can follow: firewall this, encrypt that, strong passwords for all, and security policies that leave no byte unturned. These are all security "best practices" we hear about and have forced on us by auditors, lawyers, regulators, and (perhaps worst of all) vendors generating hype via their fear, uncertainty and doubt-based marketing tactics. An alarming number of organizations buy into this free advice and blindly operate their businesses believing that if they throw enough money into technology and document some key security policies, they are safe. Everyone else is doing it, after all - yeah, right! This one-size-fits-all mentality is bad for business.

Having said this, there are a few key things you will likely need to have in place before you can effect change and reasonably secure your information systems:

1. Key leaders and decision makers who understand the importance of security, privacy and IT governance - not just a best practice or regulatory requirement that the company needs to dodge, adhere to minimally or ignore altogether. In other words, people with the bravado to see security and privacy as legitimate business issues who can make things happen.

2. An IT governance/oversight committee made up of several people from various areas of the organization that calls the shots - i.e. creates and enforces security policies - not just the IT administrator doing his/her own thing.

3. An information classification system that clearly outlines which electronic assets are present on your network, which information needs what type of protection, how you are actually protecting it, and how it needs to be retained for legal and regulatory purposes.

4. Security standards that every administrator, manager, developer and team works by to ensure that all critical systems are consistently secured throughout the organization.

5. Users who are reasonably aware of security and privacy issues combined with IT/security administrators and management who do not depend on them for the security and privacy of the organization's information. Users can serve as a good layer of protection but it is still a layer of protection on which you cannot fully depend.

The most important thing is to not jump on the bandwagon and start implementing every known security measure just to please others or because someone says it is the right thing to do. Not that the advice you receive will be completely off base, but the reality is that every organization has different needs for managing information security.

Going beyond these essentials and building out a true risk management-based system is imperative and will evolve over time with the right support and approach. Well-known IT/security standards and frameworks such as ISO/IEC 27002:2005, COBIT and ITIL are nice for starters - but do not put them in place for show, to look good on paper or to simply fit in. It may sound clich‚, but I see it quiet often. Many businesses - both large and small - put together some fancy security framework documentation and business processes in order to please internal audit, clients, business partners and government regulators. I've even heard things like "This is just how we do things in our industry," or "We've always followed general best practices and they've worked so far."

But what does it really mean and what good does it really do when the majority of your IT processes and controls are in place just for show? If anything, such an approach to information security can create more liabilities than it mitigates. Furthermore, what if you found out that you are doing too much? Spending more time and money than necessary and creating more hassle just because it seemed like the right thing to do are sure signs of a failed approach to information security. Such reliance on "best practices" is a great way to set your business up for long-term failure.

Do not fall into the myrmidon mindset. Think for yourself. Look at your own requirements and your own needs in the context of which you are doing business. It is OK to take the advice of others - just don't forget the fact that no one knows your organization's culture, politics and means of operation better than you and your peers.

Show reasonable effort to minimize security risks relevant to your organization and document why you are not falling in line with the masses for everything else. You can save money, time and a whole lot of effort and still please the regulators and auditors who ask the tough questions down the road. In fact, stepping back and looking at the big picture could be the very formula you need to finally get on the right track and obtain the buy-in and visibility you need to make security work.
Kevin Beaver is an independent information security consultant, author, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments in support of risk management and compliance. He has authored/co-authored seven books on information security including the brand new "Hacking for Dummies,3rd edition" and "The Practical Guide to HIPAA Privacy and Security Compliance." He is also the creator of the Security On Wheels information security audio books and blog. For contact info and links to his blog and Twitter account, visit