Don't Delegate Security

By Linda McCarthy

The following article is excerpted from "IT Security: Risking the Corporation" by Linda McCarthy, published by Prentice Hall.

Every company has its own culture when it comes to security. That's why what's good for one company is not necessarily good for another. Each company should understand what it wants from security and then practice it from the top down. Management cannot be excluded.

When executive management does not place value on security or take responsibility for security (as if it were someone else's job), it sends a message to the people at the line level that management does not really care. In response, line-level people often lose interest in security as well. That's a risky message to send!

Don't delegate security

All too often, managers seem to rule from on high with little or no contact with the masses. When that happens, security suffers. This scenario illustrates the types of problems that can occur when security mandates are dictated from above.

Simply voicing the importance of security is not enough. Virtually everyone knows that computer security is an important issue. Unfortunately, they usually think that it's an important issue for somebody else.

Remember that we are all responsible for the security and the safety of our data. That includes the highest executive, as well as the lowest technician.

Keep levels of management to a minimum

When too many levels are involved in security, security messages can be misinterpreted, misunderstood, or simply lost. If you are an executive manager and you have no idea which manager is in charge of security for your company, take a long hard look at your chain of command. Too many links can weaken even the strongest chain.

If you're a link at the end of the chain, make sure you know exactly who it is that wants you to complete a given task. Keep in mind here that "management" is a concept, and not a person's name. You can't very well report back to a concept if you run into implementation or operational problems.

Report back to executive management

I recently met with a CIO of a large manufacturing company to talk about security. She wanted to know how she could tell if her network was at risk. I asked her the following questions:

1. Have you ever received an executive security report?
2. Do you have a security manager?
3. Do you have any security experts?

The CIO answered "No" to every question. She also wasn't sure whether or not her firm had ever conducted a security audit. She was wondering whether she needed to hire a security consultant. I told her to ask her line management to conduct a security audit and provide her with a one-page executive summary within 30 days. "If your team can't conduct a security audit or provide you with an executive security summary, you definitely need outside help," was my answer.

System administrators, and anyone else likely to be blamed for security problems, should make it a point to provide executive-level security summaries on a regular basis. Ideally, the reports will prompt management to approve funding, increase head count, provide training, or supply whatever else you need to fix the problems. In the worst case, you've got written reports to cover your posterior.

Even when the result of a security audit is good-no major security risks- management still needs to receive an executive summary. As I noted earlier (many times!), security problems aren't always apparent to the naked eye. It isn't usually obvious when a problem has been fixed. That's another reason why executive managers should request a concise (one-page) executive-level security summary on a regular basis.

Set security as a corporate goal

You may have trouble maintaining security because everyone is too busy trying to reach other goals. If you have problems maintaining security in your company, consider adding security as a goal for every level of management.

Provide or take training as required

For security to work, everyone needs to know the basic rules. Once they know the rules, it doesn't hurt to prompt them to follow those rules. Use e-mail to send regular reminders about the importance of information protection, password maintenance, system security, and so on. If you or your employees haven't participated in training on basic security precautions, do it or see that it's done.

Ideally, your company should already have people who know enough about security to design and run basic training sessions on their own. If they don't, take the time to arrange for external training.

Now, before you say, "We don't have time for that sort of thing," think creatively. Training doesn't have to be cumbersome or excessively time consuming. Some firms use prerecorded videos to fit into employee downtime or even offer individualized e-mail classes. Training doesn't have to mean 30 little desks lined up in orderly rows. Pick a method that works for your company.

Make sure that all managers understand security

It is especially important that all members of management understand the risks associated with unsecured systems; otherwise, management choices may unwittingly jeopardize the company's reputation, proprietary information, and financial results. I'm not saying that you need to be a security expert, but you should understand the basics and get the lingo down.

Communicate to management clearly

Too often, system administrators complain to their terminals instead of their supervisors. Other times, system administrators find that complaining to their supervisors is remarkably like complaining to their terminals.

If you're a supervisor (or other manager), make sure that your people have easy access to your time and attention. When security issues come up, pay attention! The first line of defense for your network is strong communication with the people behind your machines.

If you're a system administrator, make sure that talking to your immediate supervisor fixes the problem. If it doesn't, you should be confident enough to reach higher in the management chain for results.

Checklist

Use this checklist to determine whether your company's organization and management levels allow security concerns to be addressed adequately. Can you mark a "Yes" beside each item?

• Are executive-level security summaries produced regularly?
  
  
• Does a clear communication path exist from the top level of management to the line-level workers? And-more importantly-does everyone know what or where that communication path is?
  
  
• Does responsibility for security rest with a Vice President, Director of Security, or other member of management? The higher up in management the responsible party is, the better! Make sure that the manager responsible for security isn't buried deep within the organization, and has the authority to act. Otherwise, he or she will be just a scapegoat.
  
  
• Has management demonstrated that it is committed to the company's security program by appropriately presenting and enforcing it?
  
  
• Has adequate funding for security been allocated and made available?
  
  
• Do all system administrators understand the importance of reporting and resolving security issues quickly?
  
  
• Is security awareness training provided as part of the standard orientation for new employees at all levels - line-level and upper management?
  
  
• Have steps been taken to ensure that all employees (from the top down) are aware of the company's information-protection policies?
  
  
• Were the realities of the company's culture (in terms of management/worker relationships) considered when the security policies and procedures were developed?
  
  
• Do employees know whom to call for help when a security breach occurs or when they don't understand their roles?
  Are security audits conducted on a regular basis?

Final words

If you are an executive manager and you expect your intranet to be secure without proof, you may be in for a surprise. Threats against enterprises continue to rise, requiring higher and higher levels of security on intranets.

In the early 1990s, we approached a new crossroads in computer security. A few years back, many companies took the low road (little to no security protection) because the risks were fewer and the consequences less devastating. That situation exists no longer. Today, the threat to data on intranets is higher than ever. If your intranet is already at risk from out-of-the-box installation, inadequate security funding, and poor corporate communication, you need to get in gear now.

As this case clearly demonstrates, having poor communications in and of itself is a major security risk. Most of the actual security violations in this case study were pretty basic-simple passwords, out-of-the-box installations, and so on. In this phase of the computer revolution, no self-respecting network should suffer from symptoms so simple, especially when most could have been fixed fairly easily with better communications.

Unlike armed robbery, computer crime doesn't always seem like the major problem that it is. Often hidden by the victim to prevent further damage (to stock values, reputations, and so on), computer crimes are growing at a phenomenal rate. At the National Infrastructure Protection Center, an FBI section that works with government offices as well as private companies, the number of active computer crime cases has doubled every year since 1998. The cumulative cost of those cases has risen accordingly. A survey given by Information Week and PricewaterhouseCoopers in mid-2000 estimated the cost of just computer virus damage for that year at $1.6 trillion. As the FBI's Leslie Wiser noted in his address to Congress on cybersecurity in August 2001, "That figure is larger than the gross domestic product of all but a handful of nations."

The CIO of any company should be kept abreast of serious security risks on the corporate network, including successful break-ins. I'm sure your CIO would rather hear about break-ins from line-level management than from CNN Headline News. If you don't have a clear communication path to the top, create one. 

Linda McCarthy is executive security advisor at Symantec Corporation.