comment, Dad Jokes, Humour, security

compliance, governance, grc, infosec, marketing, organisational, risk

A colleague of mine at work started blogging again last weekend, highlighting a very good point that if 2-Factor Authentication is being offered to online gaming players, they why the hell are there still governments and financial institutions across the world that still rely on basic UserID and Password authentication to their online services?

Although an interesting debate, I’m not going to go into a rant about this today. What has caught my eye though as an article in todays Australian IT highlighting that a survey reveals that the majority of Australian Organisations are confident in the security of their IT systems, have rarely had that tested and can withstand all types of attacks.

Although I would like to see the details of the survey, this statement scares me. The article describes how:

[…] organisations have reached a level of comfort with security, as most internal security projects have been completed.

“We hear from the security vendors that the end of the world is coming, but businesses just don’t believe it,” Hydrasight analyst Michael Warrilow says.

It’s not surprising that organisations feel that way, as they have invested a lot to improve network security, he says.

As Information Security practitioners this proves to me that we have still failed to get our message across to Businesses Leaders. Even though the IT Industry has spent (and earnt) millions of dollars in implementing nertwork security products, all they do is protect computer networks and boxes. And only then if they are implemented and configured properly. And don’t have any users.

Australian organisations seem to have been consistently told by Software Vendors and IT Consultants that implementing some software or hardware will automagically make you secure. But what this view of the world fails to address is that whilst our technology my be OK, Information Security also needs to encompass securing information in People, Management, Processes and Strategy. Its far more difficult do this – and its not something you can “implement”.

Organisations need to address Information Security proactively, to make it a living, breathing part of their culture, instead of effectively wasting money on “tools” or “products” that do this for you.  Bob Blakely of the Burton Group makes a strong, well-reasoned argument of how the current buzzword of “Governence, Risk and Compliance” products are marketed and sold by the IT vendors (such as here, here, here and here).  He correctly states that buying this stuff will not give you Governence, Risk or Compliance that their salesmen will implicitly promise. At best, all these tools will give you are some pretty pictures of summarised data that an Operations person will find useful when preparing a presentation to his bosses. Information Governence, Risk Management and Compliance Management are all business processes that need to be owned and driven by the Business, but organisations tend to only do so when forced by an external entity (e.g. through Legislation or Commercial Obligations).

Of course, this stuff is hard. It will take time. But the first step, I feel, is for organisations to take the ownership of Information away from the ownership of Technology. Information is a business asset that can be stored and managed using various technologies; but needs to have its own management lifecycle and risk management processes.

Lets face it … fundamentally, if I wanted to get some sort of information out of a company, would it be easier for me to hack through its IT network or web based applications; or would I just pretend to be a consultant and become employed by them and grab it from the inside. Or even better walk into their offices pretending to be a courier, or contractor, or salesman and flirt excessively with the stressed office manager or receptionist. Kevin Mitnick proved that its easier to “hack” the process or the people – but still organisations put all of their eggs into one basket by securing the technology.

As the article correctly states:

“Organisations might think they’ve solved the problem but the threats are increasing and they’re going beyond technology to target people,” he says.

“Complacency is the enemy in this situation.”

I