cancel
Showing results for 
Search instead for 
Did you mean: 

Security Strategy Without Tears

Level 11

Security management and response systems are often high-profile investments that occur only when the impact of IT threats to the business are fully appreciated by management. At least in the small and midmarket space, this understanding only rarely happens before the pain of a security breach, and even then enlightenment comes only after repeated exposure. When it does, it's amazing how seriously the matter is taken and how quickly a budget is established. Until this occurs, however, the system is often seen as a commodity purchase rather than an investment in an ongoing business-critical process.

Unfortunately, before the need is realized, there is often little will on the part of the business to take some action. In many cases, organizations are highly resistant to even a commodity approach because they haven't yet suffered a breach. One might think that these cases are in the minority, but as many as 60% of businesses either have an outdated "We have a firewall, so we're safe!" security strategy or no security strategy at all.
[Source: Cisco Press Release: New Cisco Security Study Shows Canadian Businesses Not Prepared For Security Th...]

Obviously, different clients will be at varying stages of security self-awareness, with some a bit further along than others. For the ones that have nothing, they need to be convinced that a security strategy is necessary. For others, they need to be persuaded that a firewall or other security appliance is only a part of the necessary plan and not the entirety of it. No matter where they stand, the challenge is in convincing them of the need for a comprehensive policy and management process before they are burned by an intrusion and without appearing to use scare tactics.

What approaches have you taken to ensure that the influencers and decision makers appreciate the requirements before they feel the pain?

33 Comments
cahunt
Level 17

The hard part is making someone understand something they do not think is important. Just one of the aspects of IT that demand skills of another nature.

Cause lets get this right, and right from the start.. those sales guys can't do our job, but we have to sell the suits on every idea. Some idea's seem to even need their own marketing campaign.

The article you have here may help introduce the idea, but I think I have worked for some folks in the past who would read this and say, 'I'm not based in Canada.'

ghostinthenet
Level 11

There's the hard part. People go into IT and think they're not going into marketing... but they just don't realize that's a part of it. Unfortunately, we're not good marketers, which is why we're in IT. It's a bit of a catch 22... so how do we overcome?

There may well be some folks who would read the reference, say "I'm not based in Canada" and somehow think that it's not a problem. I'm sure there are just as many people here who would read US-sourced or UK-sourced research and say that these things don't apply to them either. Unfortunately, that's just more evidence of people failing to appreciate the problem. They're reaching to find a reason that these things don't apply to them rather than accepting that they need to be addressed. The world has various cultures, but the attitude we take to cost versus convenience doesn't seem to be tied to any of them specifically.

If I turn around and say that I'm not really concerned about US-based research from organizations like CERT, I'm not going to sound particularly credible. Perhaps that's a more pronounced example, but it's not dissimilar.

Jfrazier
Level 18

you describe some of the disparity between the business and IT. 

Part of it is the "it can't happen to us" mentality when it can and possibly has and they just don't know it yet.

Thus until there is "pain" or a cost, then it doesn't appear on their radar.

Depending on what part of the various industries you are in will expose you to things like PCI and the like...those requirements can affect the cost of doing business and the ability to do business.  So being aware and complying make better business sense...

network_defender
Level 14

I make sure management is aware that we are not in compliance, pick your compliance requirement, and give solutions and/or mitigations we can use.  I try to give my preferred solution and a few others.  The others will include options that are less expensive out of the box, but more labor intensive, and more expensive out of the box with lower labor costs.  I end the conversation with the same comment, "I have done my due diligence, the ball is in your court.  I ensure this is done via e-mail as well, that way I do not become their scapegoat.

I also ensure that they are aware of current security breaches, how expensive the breach was for said company, and how they could have been prevented.

Lastly, I keep a continued pressure on the security topics I feel are most important.  Squeaky wheel concept.

ghostinthenet
Level 11

"It can't happen to us." is a normal human coping mechanism, so I can't blame business people for looking at it that way. IT people, on the other hand, are the odd ones who actually admit that it can happen to us. Here's to the crazy people!

Businesses that have to conform to PCI are in a better position. They've been given a standard that must be followed in order to continue doing business. I'm not suggesting that the PCI DSS is necessarily the best basis for policy, but at least it's a beginning. Maybe PCI has it right and the "iron fist in a velvet glove" approach is a good way to do it. Still, a bit harder to leverage as a consultant or employee.

mharvey
Level 17

We actually had a client I was working with at an IT services company that came to us that had run through that issue (breached before they took action).  With their permission we used that as a way to lead into that type of conversations with other clients and new clients we were taking on.  Currently with the job I'm in, they are aware of how important this is and are willing to make needed investments into IT and security to ensure things like this don't happen to the best of our ability.

ghostinthenet
Level 11

It's a good approach. Take it step-by-step and make it a cultural thing... but what if we're not there yet? Let's say we're dealing with a business that still doesn't see the need at all. The question then becomes: In compliance with what? No policy, no compliance.

ghostinthenet
Level 11

Testimonials! Good option. I'm leaning toward the position that there has to be pain, but maybe sometimes it can be someone else's pain.

mharvey
Level 17

and especially in the mid-size market it can go to show that your as vulnerable, and not quite as hidden as you perceive. 

cahunt
Level 17

Very True and no better way to approach this (I make sure management is aware that we are not in compliance)!!! As I read years ago when perusing through what at the time were laws governing this so called compliance, Of those who are aware of said 'non compliance' it is the one who holds the most rank that will be held responsible. So if I never informed my manager of our EULA violations then I can catch that FINE.

mharvey
Level 17

I did not realize that.  Very good information to have. Thanks for sharing that. 

Jfrazier
Level 18

Ah...but you do have to document that you informed a higher up or it never happened...plausible deniability.

cahunt
Level 17

This was a dozen years ago, check to see if they have changed lately.  It is not something I have to worry about where I am at now.. but that night after the day when I put it up on the board after a full audit stating we needed X number of OS License, and Y number of Application License, I slept really well.

***Caution : Be careful if that # is too large - make sure you put yourself in there as part of the solution (as adverse to them not paying you in lieu of obtaining the licensing that is needed).

cahunt
Level 17

Email is a beautiful thing. If you BCC it to one of your gmail accounts it can easily be brought up... I'm sure Google would supply that email even without a subpoena.

cahunt
Level 17

You're never hidden if you have a public IP

Jfrazier
Level 18

Yes it is....unless your company policy purges everything over xxx days with no local pst's allowed.

So there are other methods you can use too....like an incident ticket.

cahunt
Level 17

Sounds like they would also tell you that all emails are their property and you do not own them. And why would they have their lawyers subpeona anything that would exonerate you. I hope you have a good lawyer, You must work for the IRS.

I am sure your ticket would remain in tact until you needed it for exoneration purposes. I could also see a new ITSM implemented just before you get a copy of your exonerating ticket back in your own hands. Who deleted that old DB?

I think it is safe to say that with the lack of loyalty that most business have it's just better to CYA.

Print that email translated ticket and lock it away in your safety deposit box, keep another copy of that in your firebox at home, one in your glove box also one in that emergency duffel with the extra set of clothes and unmarked cash & passports.

Jfrazier
Level 18

Ahhhh...you guessed part of my gameplan.

tcbene
Level 11

Most of the time security is an after thought, It is unfortunate but true.  Thank you to those who are the scape goats with the first breach, which opens up the eyes of everyone else to take action.

jkump
Level 15

I work in the medical field and obviously security is umbra important.  Fortunately, this environment lends itself to multiple layers of security for all connections.  From ip reputation services on in the incoming and outgoing interfaces on the firewall, to multiple scrubbers and URL rewrites on incoming email, to extensive VLAN configurations.  Keeping data only flowing to the users and locations that actually need it.

I took have spent parts of my life where security is always an afterthought.  But as a dedicated long-term IT professional, I have always taken the tact:  "I learn what the bad people do, so I can prevent them from happening to my customers/users"

crwchief6
Level 11

Being in insurance, security is the utmost of importance. We have gotten our fair share of virus' way back and management finally decided it was time to get a system in place to prevent not only viruses but other hacks. Money was the main factor why we never did anything proactively. We took our chances and it came back to bite us.

goodzhere
Level 14

I have been very fortunate in my career to have upper management that at least somewhat understood the importance of security.  Working in government environments also helps, since we are bound by certain standards.  I have also worked in the commercial environment as well.  Most of the time, smaller businesses have no clue.  I give recommendations and it is on them whether or not to make those "improvements".  That is what they are to them.  It is not currently impacting business, so unfortunately, until it does it is not much of a concern.  Some will go with my recommendations, at least as a phased approach.  Overall, there is not much you can do or say to convince someone until it is impacting business and money must be allocated.

jay.perry
Level 11


It's nice when management also believes in protocol, if not they need to be persuaded in meetings. Thanks again.

jswan
Level 13

Most organizations of any substantial size are already compromised, by opportunistic malware if nothing else. Using some free tools to find those intrusions is a good way to get the attention at least of middle management.

theflyingwombat
Level 9

My company seems to trust our security team and their recommendations so devices and software get purchased without any kicking and screaming.

lhoyle
Level 10

My employer has taken MANY steps to keep the fox out of the hen house. Increased head count, specific individuals recruited, and all of the tools that we need. It is taken very seriously.

byrona
Level 21

What I would love to see is some good reference architecture for a good security implementation.  I would imagine this reference architecture showing the different components as being associated with different maturity levels all the way up to a DoD level of security.

If anybody has seen or knows of anything like this I would love to see it.

_stump
Level 12

One way to make your case for stronger security is to collect log information on the number of attacks you see at your edge devices. Bundle that data up into a short slide deck (because management-types communicate via PowerPoint, amirite?), throw in some graphics to explain that the company's networks are under constant assault (bonus points if you can quantify the attacks and their points of origin), and present it to your senior management.

Imminent danger is a hell of a motivator.

patrick.mchenry
Level 11

great information

cahunt
Level 17

Can I just stand up and scream, 'ICEBERG!!' in our next meeting?  Eh, I think your idea may be a little better.

darragh.delaney
Level 12

I always get them to look out the window or onto a corridor and say to them. Why have we CCTV cameras up. What is the ROI on them? It is hard to calculate unless you have a problem. SIEM and network monitoring tools fall into the same space. They are there to watch over things, something to record activity and should there be a problem we can look back and review what happened and then take the appropriate action. If they get why security cameras are important then they should be able to get why network monitoring is important.

jkump
Level 15

An interesting point of view.  One that I will hang on to.

tinmann0715
Level 16

An interesting perspective. I am in an organization that does not prioritize infrastructure support tools. Instead, we have a whole bunch of tools that have been implemented that run without any care and feeding. Then, when we need to go to it for assistance, it's not collecting data. Later, when we implement yet another tool we do not augment the staffing accordingly. The Circle of Failure continues.

About the Author
Network Greasemonkey, Packet Macrame Specialist, Virtual Pneumatic Tube Transport Designer and Connectivity Nerfherder. The possible titles are too many to count, but they don’t really mean much when I’m essentially a hired gun in the wild west that is modern networking. I’m based in the Niagara region of Ontario, Canada and operate tishco networks, a consulting firm specializing in the wholesale provisioning of networking services to IT firms for resale to their respective clientele. Over my career, I have developed a track record designing and deploying a wide variety of successful networking solutions in areas of routing, switching, data security, unified communications and wireless networking. These range from simple networks for small-to-medium business clients with limited budgets to large infrastructure VPN deployments with over 450 endpoints. My broad experience with converged networks throughout Canada and the world have helped answer many complex requirements with elegant, sustainable and scalable solutions. In addition, I maintain current Cisco CCDP and CCIE R&S (41436) certifications. I tweet at @ghostinthenet, am a Tech Field Day delegate, render occasional pro-bono assistance on sites like the Cisco Support Community and Experts' Exchange and occasionally rant publicly on my experiences by "limpet blogging" on various sites. Outside of the realm of IT, I am both a husband and father. In what meagre time remains, I contribute to my community by serving as an RCAF Reserve Officer, supporting my local squadron of the Royal Canadian Air Cadets as their Commanding Officer.