Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

6/9/2017
12:12 PM
Joe Campbell
Joe Campbell
News Analysis-Security Now
50%
50%

From Enemies to Allies: Addressing Security Culture Clashes in Your Organization

Building secure organizations starts with people, not technology. Part 2 of a 2-part article.

In last week's piece, I addressed the different types of security cultures within today's organizations. You have your "security bullies" -- the teams that refuse to compromise with other internal stakeholders in the business when it comes to implementing security policies, in turn only inciting teams to find insecure workarounds and loopholes. And then on the other side of the spectrum, you have the "elephant in the room" -- when business teams only see security as stifling agility and innovation, refusing to include them in critical conversations. In both cases, both sides of the table need to become allies to the business and each other. Let's talk about how we can get there. Getting equipped for the conversation
At this point, many may be thinking their task is simple: Don't be a bully if you are, or simply make yourself heard if you are the elephant. The truth is, this isn't something that is going to be fixed without a more conscientious approach. Before you embark on getting to the table in partnership with the business, you need to learn more about the importance of your job. You need to be prepared to explain to the rest of the company why security matters. Understand how defense has evolved
The traditional approach to security has been the same for a millennia. It was employed by the Roman legions and is employed today in our businesses. Often called "defense in depth," the strategy consists of sequential layers of defense meant to weaken the enemy and finally, defeat it. Where there were once castle walls, moats and battlements, there are now physical security, firewalls, authentication barriers and more. This approach to security is really not a mystery to the business. In fact, most of the folks in the business would probably describe security in this way.

On top of their understanding is the expectation that this can and should be done silently and transparently to their daily operations. Perhaps they have not been reading security blogs lately.

Have you heard any of these phrases before?
"They are already in the walls."
"You've already been hacked."

There seems to be enough evidence in the wild that our traditional approach to security hasn't been working. We all need to begin rethinking security with an understanding that an evolution and revolution in our approach is necessary. This revolution requires that security begins to understand the business and that the business actually has a stake in security too. It's our responsibility to explain this to them in the simplest way possible and open the door to new and positive relationships.

Identity in depth
To put it simply, not having a robust perimeter security solution, competent authentication and even multi-factor authentication would basically tell me you were being negligent. But as we all know, it simply isn't enough. Today, each defensive layer in the organization needs to be augmented with identity. The layers alone are simply not enough. Firewalls and VPNs need to be checking for more than simple credentials; rather, they should be aware of who is connecting and what this user's capabilities are in the business.

Applications can't simply react to basic role-based access control logic, but rather must be supplemented with separation of duties and toxic role logic you get from an IAM solution. Web portals can no longer rely on simple SSL and authentication, but rather understand if the connecting user matches what we know about this user's typical forensic thumbprint. In essence, the only defense we have for the new breed of hacker (who is really just a modern "identity thief") is to always have identity front and center. It is this revolution in defense -- from defense-in-depth to identity-in-depth -- where we can begin to change the conversation.

Starting over
Again, our goal in security is to be an invited and trusted member of the business discussion, but both of our troubled security cultures above have a similar problem to fix. Whether your team has been bullying the business or has been seen as irrelevant, we need to re-introduce ourselves. Put your kingdom-building or your meekness aside and tell the business: "we need to talk."

The conversation can go something like this:
"The traditional approach to security has changed and I realize that we've both made some mistakes." Explain how you understand what the business thinks about security and that it makes sense to you, but then take some time to talk about the dangers of a security breach. Do this in a way that doesn't present tales of doom and gloom, but speaks to critical business issues that matter to them. (Typically people don't like drama.) Instead draw on recent examples of intellectual property theft, customer distrust and big losses to the bottom line -- all things that they know and understand, and more importantly, can hugely impede the business. Take some time to explain how the practice of security has evolved, and how through the concepts of identity-in-depth, we both have our best opportunity to stop them in their tracks. Now comes the easy part: Tell them how important they are!

The business is essential
As security team members, we can freely admit that we're not really experts on the tasks, goals, and issues that our business leaders deal with. This is why you need to explain that in this new world, business has a greater say in how our security posture is designed. Only the business knows who needs access to what function or which roles should be granted only with approval from the boss. Explain to your new partners that you are there for them and that you need to make decisions together that can satisfy the requirements of the company in general. It is because of the change in the threat landscape that you are here and that we need to build a new relationship.

For the bully in the room, your approach to security has done more harm than good. This redefinition of our goals in security give you an opportunity to repair your relationships and start working for the good of the business. Educate your team on a business-centric approach to security and teach them that changes made to the organizations simply cannot interfere with the goals of the business.

For the elephant in the room, your time spent away from the table must come to an end. We can't begin to embark on a new security relationship unless we are actively spending time to understand the business and you need to look for those opportunities. Listening at first, waiting until you feel you are beginning to understand, and then making the bold move to suggest partnerships that you know solve the problems the business has.

Building the trust that has been missing for so long is simply the first challenge you need to conquer. Only after that can we begin to tackle the technical problems that we face... and with our new partners.

Joe Campbell is principal security advisor at identity and access management company One Identity. professional career spans innovations for some of the world's biggest companies, and he's pioneered new, award-winning technologies in wireless, RFID, visualization, communications and telephony. As a trusted security advisor, his unmatched experience in security and software architecture makes him a highly respected leader in the technology industry.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...