How well your enterprise security works depends, it seems, on whom you ask. Most corporate users are confident that they have security nailed, and that they’re doing a good job observing corporate security practices, but IT tells a different story. In a survey conducted last November, Toronto-based
Soltrus Inc. found that 70 per cent of users in Canadian enterprises believed they were “”well aware”” of their companies’ security policies, while only half of IT staff surveyed called their users “”moderately aware.””
This disconnect between the rank-and-file and the security professionals is a big problem. “”That’s where you really see the issue,”” says Robert Richardson, editorial director of Computer Security Institute and co-author of its annual security report, produced jointly with the FBI. “”People remain quite naive about their vulnerabilities and particularly about corporate vulnerability.””
That naiveté breeds a false sense of security, and that opens the enterprise to attack and financial loss. The 2004 CSI-FBI Computer Crime Survey found that its sample of 486 U.S. companies estimated losses from wireless network and employee internet abuses at almost $21 million (US) — almost as much as losses from denial of service attacks.
It’s a big problem, one that requires the immediate and focused attention of the highest levels of corporate management. “”I think it should be a very big issue in the boardroom,”” says IDC Canada vice-president Joe Greene. “”It has to start at the top. They’re the ones who set the tone and allocate money to projects. If the gap is going to be closed, then they’re the ones who have to do it.””
The good news is that there are strong indications that C-level executives have woken up to the fact that all is not well in enterprise security. While Soltrus’s enterprise product manager Marcus Shields notes that “”the CIO isn’t interested in how many messages the spam filter blocks every day,”” the issue has nevertheless made it to the table. Security is a priority.
“”Ten years ago, if a company even had a CIO, his response was, “”Security? What’s that?'”” Shields says. “”Five years ago, it was, ‘We’re thinking about it and we have a poster on the wall.’ Now, progressive enterprises are saying that they have to work out security policies and procedures tailored to the nature of their businesses, security that works specifically for their needs.””
This trend is reflected in the increasing number of chief security officers in corporate boardrooms. The CSO position was almost unheard of at the turn of the century and Shields says that it still exists primarily in large enterprises. Nevertheless, the appearance of a C-level executive whose sole concern is the security and integrity of corporate data can be an important step toward closing the security gap. “”It’s a step in the right direction,”” Richardson says.
But it’s only a step. “”It’s not enough to say, ‘We got a guy for that’ and forget it,”” Richardson says. Management has to be completely engaged in the process of developing security policies that the rank-and-file not only know about, but understand and use. “”The details are a C-level issue, even if management doesn’t want to deal with issues,”” he says. “”But to make a company really secure, you have to create a culture of security awareness.””
One of the first mistakes that many companies make is to lock everything down so tightly that the only way to get things done is to skirt the security policy. And — in for a penny, in for a pound — once the policy falls apart just a bit, it often comes completely unraveled. “”A security policy that can’t be used by real humans is worse than no security policy at all,”” Shields says. “”Either it will be turned off or circumvented and you’ll have no security, or whatever system it was supposed to protect simply won’t be used.””
Normal people can’t keep track of fourteen-character alphanumeric passwords that are recycled every day, so they write them on post-it notes and stick them on their monitors, or they just forget and share a co-worker’s password. And if workers have to jump through hoops to get their jobs done, there’s a good chance they’ll be jumping more than working.
More importantly, employees have to know what corporate security is all about. Indeed, according to Shields, one of the main reasons for the disconnect between employees and IT is that many security policies are just too thorough and complex. “”These are people who have jobs to do,”” Shields says. “”If you have a thick binder of security policies, then you have a problem. You have a thick binder full of policies that no one will read.””
The bottom line is that you can only close the security gap by raising the security consciousness of your employees, and that’s only going to happen when management makes a strong commitment to education throughout the enterprise. “”If there is a difference of perception of threat between IT administrators and users, then users have to be educated about the level of threat,”” Shields says.
But it’s more than that. IT administrators and C-level managers have to be just as diligent about learning why the gap exists. “”There has to an engagement across all levels of the enterprise, and it has to be a systematic effort,”” Richardson says.
At one level, that means that the top-level security staff must have a better understanding of the business processes to determine the appropriate level of security and develop appropriate policies. Business plans have to be factored into security, Richardson says.
At another level — the top level, in fact — management has to be fully engaged with security all the time. “”I don’t think C-level executives who aren’t the CSO need a thorough schooling in security,”” Richardson says. “”But they do need a passing understanding of what the issues are.””
In any event, Richardson says, the security perception gap isn’t going to close until enterprises are prepared to put resources into the effort and, at the end of the day, that’s what makes it a C-level issue. “”Those decisions, like the allocation of resources, can’t be made by your security staff,”” he says. “”It has to be made at the C-level, and one of those executives should be a CSO, who oversees the security system and policies on an ongoing basis.””
Changing a security culture is not a one-time expense. There will always be costs for ongoing operations, upgrades and re-training. “”The majority of companies are looking at increasing their budgets for security,”” Greene says. “”Management won’t necessarily increase the overall IT budgets, but they’ll have to borrow from other budgets.”” Whether that happens depends very much on how much soul-searching an enterprise is willing to do. “”Nobody wants to admit to this kind of disconnect,”” Greene says.
Whether they want to or not, Shields says, the only way to fix a problem like the security gap is to start by admitting there’s a problem.