Having an IT Security Philosophy

It seems cyber threats are everywhere. They are and they’re growing. It’ll get worse before it gets better. Hacking has become a global industry where only a reliable internet connection is required to get started. Everyone right now should be on defense to protect your digital assets. It’s not easy, but it’s not impossible. The first step is to have a starting point.

I’ve been in IT for 15 years, most of that time doing security alongside management and operations. A lot of interesting projects have come across my desk and I have come to accept a few facts about security that guide all IT implementations where I am responsible.

1. A system will never be entirely secure. While the goal is to be as secure as possible, 100% security will never be reached, regardless of how much money is spent.
2. Security is a reaction to threats, therefore, evolve your security as threats evolve.
3. Security requires adoption from all stakeholders, including IT and the end users. If people are writing down their passwords on post-its, that’s the fault of IT for not having a working security environment.
4. Security is a compromise between convenience and protection. Where you settle between these two depends on many factors.
5. Security costs money. If not money, then another resource such as time or compute. Invest in security and it’ll invest in your company.

How IT security is implemented is guided by an IT security philosophy. While we in infosec (short for information security) discuss frameworks endlessly, we don’t talk enough about philosophies. It’s important because security can get complicated and, after some time, become more of a problem than a solution.

My IT security philosophy is simply that security must protect the IT goals while supporting the business goals. Let’s dig into this.

Every organization’s IT leadership should, for example, have a goal of users being able to successfully log onto services so they can get their work done. Some of the objectives would be: secure login (the intended person logs on), provisioning (turn on and off access), and predictability (same username across services or clear directions when different).

Single sign-on (“SSO”) allows one person to have one login for many (if not all) services in an organization. Security for SSO would be implemented so that it protects the IT goals while supporting the business goals. The security must not get in the way of the organization pursuing its goals, such as 10x growth in sales.

At some point, the philosophy stops and the implementation strategy and support methodologies come into the picture. As long as the IT leadership understands that security is not to negatively affect the business goals, then the organization is in good shape.

Here is a real world example. I’ve seen organizations’ IT departments require IT consultants to be on-site (literally in the same physical space) to perform work. While this insures (to a degree) that the IT consultants are working in a secure environment, it slows down the overall work. If those consultants are called to fix a problem, then they would waste time getting there, which could affect end users. Clearly, this is ridiculous.

It would be better for the IT department to provide unique user names with multi-factor authentication for the consultants to keep the login process secure. It’s good for the business, IT and the security environment. That’s a start.

IT Security will constantly change, but organizations’ missions and business goals rarely do. Therefore, it is important, at the least, to articulate the IT security philosophy as you would a mission statement. I’d like to see more infosec professionals talk about their IT security philosophies before we discuss frameworks and deployment strategies.