Friday, September 26, 2008

Security vs IT at Computerworld

A long-time blog reader pointed me towards this Computerworld article Making enemies, but needing allies. I must absolutely emphasize that this story is not me, nor does it reflect issues I have. However, my blog reader asked me specifically to ask if any of you share this problem, and if yes, how do you handle it?

Our fledgling security organization is starting to run into some significant relationship challenges. As we're beginning to build our information security program from scratch, we're causing some friction.

In my company, information security is part of the IT department, but like several other IT disciplines, it reports directly to the CIO. As a result, the infosec and IT support teams are peers, a relationship as uneasy as that of siblings. Over the past couple of weeks, tensions between our teams have been rising sharply...

As we try to bring security to an acceptable level, we are introducing new policies and standards that are being met with hostility by the IT support teams. They will have to perform some of the remediation we have identified, such as patching and updating devices, cleaning up firewall rules and implementing redundant systems. So, basically we are telling them what to do -- which they interpret as telling them how to do their jobs. And they don't like that.

Does this situation resonate with any of you, and if yes, how did you deal with it?


Black Fist said...

Yeah that's basically my job in a nutshell. Every idea I have is met with hostility by someone for some reason. Sometimes I get complaints because people don't think that there is really a problem there, and other times people complain that there are bigger things that I could be focusing on. Some people just call my Barney Fife and try to ignore the policies as long as they can.

How do I deal with it? Well I have pretty thick skin so that helps. I also try to remind myself that the people doing the complaining are blessed to not see the world the way I do. Their sluggish, unencumbered minds do not perceive risk in plaintext passwords being sent over the network or sensitive documents not being shredded.

I need to gather as much support as possible, and one way that I get that is by making the managers of each division within IT sign off on the policies before they go into effect. That way if anyone starts to complain I can tell them that their boss saw value in this policy. I also try to include stakeholders from each of the divisions in the drafting process as well. It helps to reduce the friction, but I am doubtful that it can be completely removed.

Another idea that comes to mind is to put together good metrics that show the output of your work. If you can show that your new password policy has greatly increased the average time required to crack a users password, then it becomes more difficult to challenge the validity of that policy

Roman said...

It does, though my situation is a little different. We have a section that handles physical and information security, which is separate from the IT department. I am in charge of computer security and network defense, but I am actually assigned to the IT department and report to their manager. This in itself has created issues since security vs. operations can create conflicts of interest, and the manager tends to overrule whatever I suggest that they perceive may break something. However, when I suggest they test it first (and I always suggest that; I'm not trying to cause downtime) their argument is they have no time/are too busy to test it. So nothing changes.
I combat this by making use of the fact that the department is a small shop, and instead of trying to make the manager enforce policies all the time, I work directly with the system and network admins and get technical with them. I explain what I believe needs to be done, and individually address their concerns. This has helped tremendously, especially with my credibility with the support staff, but still leaves a lack of high-level support for larger IT security projects.
To press for some of those, I had to get the security section involved to bring higher-level interest (aka higher than the operations manager) to weigh in on the issues; that has caused some movement, but there's plenty more work to be done.

Keydet89 said...

I've seen this for a number of years, both as a consultant as well as in FTE positions. It's nothing new.

I think that part of the problem stems from the fact that the IT guys and gals are working with the systems on a daily basis, and have little to no security training. At the same time, they ultimately get their guidance from the CIO, who does not mandate nor enforce "security". So now the IT folks have some technical nerd following them around and telling their boss, "hey, you missed a spot."

Any E-2 in the military will tell you...this ain't good.

If you're going to have an organization such as what is described, you can't have separate have to merge them. IT folks get a lot more into the business side of things, and the security folks some along and tell them "you're not doing it right" with respect to security, many times without bothering to consider the business side of things. This is a recipe for disaster.

It's 2008, folks. If a senior or executive manager does not recognize the need for security and still needs to be "sold" on the face of all the regulatory and legislative oversight...then you've got to find another company...

Steve Lodin said...

Yep, it happens in some surprising places. Just tell them the following:

Management - My job is to keep you from getting measured for the orange jumpsuit.

Peers - My job is to keep this company safe and secure, along with your job so you don't get a pink slip.


Peter said...

Assure you have proper approval and buy in at the right levels for the piece of legislation.

You have to include the correct stakeholders from the business and IT. Getting this buy in will enhance your companies execution and enforcement.

In time different events will occur that will impact how these are written and implemented. So be sure to establish a review process to assure that you are addressing agreed upon risk in manner consistent with the capabilities of your organization.

Rome was not built in a day. ;D Conduct risk assessments so you know where your oppurtunities lie. Risk assessments should include a review and agreed upon action plan from the stakeholders.

Anonymous said...

A thing I've noticed in the group I work in is we've got such a high level of respect over the organization because many of us were in those exact positions the IT staff are in. Nearly all of the technical staff have been systems administrators within the organization at some point and have a good grasp of the world our IT staff work in. This doesn't mean everything is peachy, but it does mean people do not ignore us. Retention of stellar staff is unbelievably important to our operation. We're luckily in a unique position to offer benefits other entities do not.

We don't do this, but a friend of mine works at a company that happens to allow people to nominate small bonuses or awards to specific individuals across groups. It also sounded like employees can kick these bonuses up to their manager so if it was a really important thing a larger award can be kicked over. There is some sort of budget each group has for these, I'd figure its relatively equal or else some groups would be better to work with on priority issues or something like that. It sounded like a great idea if employees were entirely motivated by little bits of extra cash, but I couldn't bring myself to believe this would have a lasting positive effect within our organization.

So yeah, either an amazing reputation, or piles of cash.

Anonymous said...

Yes, that's a problem alright. And I don't think there is an easy answer. As I think the author of that piece understands, process is critically important to the way that information security is managed in an organisation. The processes must be designed with security in mind, and they must be followed consistently to ensure all of that security is actually applied in day to day operations.

If the organisation is immature, and relies on individual skill and heroics, this needs to change. However I don't think that the IT security area can effectively implement that change on other areas when they are effectively their peers. A peer has no real control over their coworkers actions, other than what can be achieved by pestering or cajoling, and this will only go so far.

The answer, unfortunately, is to get management buy in and enforce the changes from the top down. Im willing to bet people have heard that advice before, but its a cliche for a reason. Managers have a direct ability to control their subordinates actions in a way that peers do not. If managers demonstrate commitment to security, and tell their staff that it is important, while providing the appropriate incentives for change, then change can happen. Maybe not without serious disruption, but it can happen.

However, therein lies a problem. Many managers are NOT that concerned about security, and instead are only paying it lip service (your privacy is our utmost priority), they don't understand IT security, or they don't want to put up with any inconvenience to implement security. And if they don't support it they wont provide the needed funding or support - and funding and support IS needed if you want to build information security in an organisation from scratch.

My advice is that if senior management don't support security by providing needed and visible assistance (as opposed to just saying that "security is important to us"), then it will be basically impossible for IT security staff to implement it. If this is the case save yourself a LOT of future frustration and start looking for a new job now....

Security Application said...

Just straight forwardly tell them to do their own work and should allow you to your own. Once for all, just clear it, not to interfere in any one else's business.

Ivan said...

Many issues raised are present at my place too. It is pity that usually this kind of discussions only get ITSec attention. It'd be waaaay healthier to see some input from "victimized" IT.