A View from the Trenches, the General State of IT Security

Consultants who work with IT security audits often are a valuable resource regarding the general state of IT security. They work for a number of clients in various industries over a number of years and therefore get a perception of the general state of things such as IT security awareness. I’m one of those consultants and I believe I have some observations on this issue. While speaking of none of my clients in particular the need for IT security is mostly driven by external factors and specific incidents rather than management’s desire to leverage IT security for business objectives. For instance, new legislation and directives from the EU and the US have pushed the adoption of Information Security Standards such as ISO/IEC 27001 and PCI DSS. These increased expectations are forcing organizations to spend money and resources to implement the applicable standards, because of the new laws and directives. Given the choice, more often than not, organizations would choose to spend the investment elsewhere expecting a better return.

Another example that we are reading about in the news on a regular basis, is the hacker security breach, which has affected some major companies, such as Target retail stores, eBay and very recently Apple’s iCloud.  Besides the Brand management damage control caused by a major security event and the possible discipline for the IT or security personnel, a major security event often jars the management team into adopting an IT control framework such as ISO 27001. That is like management allocating resources to buy fire insurance only after the need presents itself when the Headquarters burns down.  In other words the need for IT security is not proactive but reactive, driven by external factors rather than the prudent management of IT resources.

The Certified Information Systems Auditor Review Manual provides the following definition of risk management:

“Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.”

While doing consulting work for companies certified or in the process of adopting a control framework to manage IT security, I have reviewed a number of Risk assessments and BCM plans. RAs and BCPs are part of any modern control framework for ISMS, but the practical application of these required controls takes many forms. Often many of these risk assessments are created to present an existence of the identification process, rather than the practical use of an effective risk management system.

Three critical elements of efficient IT / information security risk assessments:

1. Processes/assets
   1. Executive team determines risk appetite and risk tolerance levels
   2. Distinguish critical assets and processes the organization must protect
2. Risks
   1. Identify the relevant risks associated with the threats and vulnerabilities of the assets
3. Controls
   1. Choose the accepted control framework that is appropriate to best mitigate the identified risks

While this does not seem like rocket science, as a consultant I’ve seen every conceivable permutation of the above. Generally small to medium enterprises should begin by organizing an inventory of 10-20 critical IT assets/processes, the risks associated with the critical assets/processes, and the controls assigned to mitigate the identified risks.  Risk assessments attempting to manage hundreds of assets and the associated risks, usually become unmanageable and the review or pro forma of such complex risk assessments is tremendously overwhelming.

My experiences aren’t always bad.  I have also seen very good risk assessments strategies and I know that, basically, this is just a matter of knowledge.  Understanding how to stop the bad things from happening by figuring out what can happen and knowing how to prevent or react to the situations will be the best course of action. Usually, spreading the knowledge by informing those persons, who can directly impact the situations on a daily basis, what to do and how to do it properly is a major step in the right direction.

This brings us to the question of how to enhance IT security with the help of people maintaining IT.  I find that the most common stumbling blocks are:

• Apathy
  • There exists a complete lack of interest in IT risk until something happens
• People
  • The majority of employees don’t understand how they can impact the IT risk of the organization
• Management
  • IT risk identification and prevention is costly unless something happens where the preventative measures proved to save the organization money
  • The cost of IT risk is restrictive both for operations and creativity
• Technical
  • Incidents are prevented and managed by technical solutions (better equipment and frequent testing are significant investments)
  • Prevent people from doing something potentially harmful,  instead of trusting every individuals actions and motives
  • Risk assessment not used efficiently
  • Business continuity management not prepared or utilized properly

This article was designed to present an all too common problem many organizations are encountering, while establishing an effective ISMS and risk mitigation strategy. Although most aspects of IT Security are obvious, the implementation of the proper processes, procedures and controls, as well as the collective belief in the strategy, are very difficult to collective execute across an organization.