Security Stops Here

By Jesse Freund

Increasingly, IT security involves the people who use a system, rather than the technologies that safeguard it. In order to tighten security, CIOs must focus on accountability policies and practices that protect the enterprise from human error and malfeasance.

Today's companies make significant investments in IT security technology. In general, every ounce of prevention provided by authentication, validation, and intrusion detection is well worth the pound of uncertainty. And, yet, as any security consultant will explain, a system is only secure as its weakest link, and the weak link in today's security systems is, more often than not, human behavior. Despite the focus on systems and software, 80 percent of all security violations arise from sources within a company, according to security expert Christopher Darby.

The risks posed by the behavior of employees, partners, and vendors explain why smart CIOs take the human side of security very seriously. At this year's HealthSec 2004 conference, Dr. John Halamka, the CIO of CareGroup HealthCare System, delivered a speech titled "You're Fired! Security Breeches, Pink Slips, and Public Executions." In it, he described how doctors in his healthcare company's network had been sacked and publicly chastised for security breaches such as verbally abusing a patient in a chat room or peaking into a spouse's psychiatric drug history. CIOs need to keep such transgressions in mind when considering overall network security.

Firing employees for a momentary misjudgment might seem severe, but with government regulation tightening and concern over privacy violations growing, increased scrutiny demands demonstrative action. Of course, there's a flip side: The action also must be appropriate, consistent, and understandable. But, while the challenge of developing fair and strict security strategy is daunting, the risk of not doing so is more formidable.

STEP ONE: Know What You're Working With

Before CIOs can begin to see the trees, they must understand the forest. As such, the first step toward developing an effective security strategy is to undertake an audit of all of an enterprise's digital assets, as well as all potential user interactions. While the task is large and painstaking, there are several steps CIOs can take to make it manageable:

• Make security an enterprise priority.  The CIO must get buy-in from senior management to ensure an organizational commitment to security.
  
  
• Involve department heads.  A team of senior managers from across the enterprise should list all digital assets. Simply put, the CIO can't do it alone. Either the CIO has the power to require this from managers across the company, or someone above him or her needs to make it a mandate.
  
  
• Define interactions.  Once the digital assets have been defined, department heads should describe how employees, partners, and vendors interact with those systems.
  
  
• Prioritize risks.  After the assets and interactions are known, department heads should prioritize the potential risks arising from security violations.

The ultimate goal is to have a blueprint of the systems and the interactions, so a CIO can begin to prioritize security issues.

STEP TWO: Define and Monitor Access

Before firewalls, authentication technologies, and authorization systems can protect an enterprise, managers need to figure out how to let the right people in and keep the wrong people out of each individual system. For example, while it might be beneficial to give a vendor access to supply chain software, you don't want that partner poking around in payroll records. Similarly, access to sensitive corporate financial data, proprietary product strategy information, and personal employee records must be clearly defined and limited. Once access privileges have been defined and implemented, enterprises should audit actual usage and maintain an enforceable audit trail.

STEP THREE: Write It Down

It's not enough to have a security strategy; managers, employees, and partners need to understand it. When developing a written security approach, CIOs should focus on creating a policy that is easy to follow:

• Keep it simple.  The first rule of policy management is that complexity is the enemy of security. Rules must be easy to understand and execute.
  
  
• Make technology user-friendly.  If firewalls and encryption technologies are invisible, then written security policies don't need to address them.
  
  
• Bring the rules to the department level.  In order to make sure employees understand the security approach, CIOs should require managers to regularly discuss security issues at department level staff meetings.
  
  
• Make sure people sign it.  It may seem obvious, but a security policy is not enforceable if employees don't sign it.

The goal of written security policies isn't intentionally punitive; CIOs shouldn't be looking to catch violators. The idea is to have easy-to-follow rules in place that prevent potential security breaches.
 
STEP FOUR: Enforcement With Teeth

Despite well-laid plans, sometimes things do go wrong. Instead, of devolving into crisis mode at the first sign of a security violation, managers need to act swiftly, appropriately, and consistently to mete out justice. While it might seem harsh, violations of an IT security policy are a significant threat and often a fireable offense.

"People need to understand that a breach of cyber security is no different than capital theft," explains Christopher Darby, CEO of XML firewall maker Sarvega and author of the Harvard Business School Article, Computer Security is for Managers, Too. "In order to offer a strong deterrent, companies should prosecute the daylights out of violators, and then make that known organization-wide."

STEP FIVE: The Others

Today's business often involves complex relationships among vendors, partners, and customers. Nevertheless, a security strategy must remain consistent. Digital assets must be identified, and access privileges must be defined. A written security policy should be signed by anyone who comes in contact with an enterprise's IT systems. And, partners and vendors should be encouraged to discuss your security policy with their staff at department level meetings. While it might seem difficult to get partners to discuss security policy at their staff meetings, if partners aware of the consequences for violating the security policy, they will have a strong incentive to do so.  Everyone must be made aware that violations will be taken seriously.

While developing and enforcing an effective security strategy involves a fair amount of work, careful planning, thorough documentation, and consistent enforcement can provide more than an ounce of prevention. There's no secret to good security: Eliminate the weakest link. Or, as Christopher Darby explains, "good security boils down to simplicity in policy and severity in repercussion."

Jesse Freund is a Contributing Writer at Business 2.0 and a frequent contributor to Wired.