Despite creditable advances in information security technologies, corporate information systems are still constantly proving their vulnerability. So we have to ask, what is going wrong?
The fundamental problem is "stick-on security" - considering information security as an afterthought instead of building it into the enterprise as an intrinsic component of all business activities. I would like to propose five specific management practices that stand out as primary symptoms of stick-on security.
The cubicles in which many of us work are a symbol of fragmented structure. There are almost always similar "virtual cubicles" between work groups with different particular responsibilities. They are barriers to communication and prevent concerted action.
The IT department will include desktop support staff who install and maintain the users' computers and applications, server room staff who keep the servers running and do the back-ups, and security staff to configure the firewall, but I bet these groups do not talk to each other.
No single technical group alone can develop the security policies, as each only addresses part of the overall problem.
Do you have a formal mechanism for these groups to share information or work in concert? Such mechanisms and management are essential, but you will not find many businesses enabling them. If you believe, as most of your competitors do, that each of these groups provides a standalone service, your security will fail.
Once a business reaches the size where staff need identification badges, individuals may no longer retain the freedom to communicate directly up and down the hierarchy, but must use "channels". Those channels generally restrict who can communicate what to whom.
In such a culture, information from the wrong source is disregarded, however valid it might be. As a result, the quality of information suffers. Even those who are supposed to know the true position with respect to inventory and risk can find themselves ill-informed when the crunch comes.
You might think that auditing could help here, by formalising the gathering of information, but that entirely depends how it is done.
For many companies, running an audit once a year is the sum of their IT security controls.
Controls are conducted like this because everyone involved sees the task as a burden, the impact of which has to be minimised. But, although it may seem the quickest and cheapest way to "get the job done", a once-a-year slog is not the way to go about it, since it is not really doing the job at all. Out-of-date inventory, policies and risk assessments are more dangerous than none - you will end up trusting something unreliable, rather than staying alert in the knowledge that you cannot trust anything.
The fundamental error is viewing security controls as exercises. You cannot afford to. If they are to work, they must become processes.
One of the greatest security hazards is the dominance of technological solutions. Security is generally left to the IT people, who are all technical and are rarely, if ever, given business briefings. They tend to think in terms of "attacks" and "defences" rather than confidentiality, integrity and availability of data.
Business IT requirements are met by negotiating requests for services or facilities into the extant technical framework as well as possible, and the framework is defined on technical grounds alone. This can lead to two extremes, depending on who wins the negotiations.
At one end of the scale, security can be left wide open in order to facilitate some departments' activities. For example, several people in marketing may want individual direct update access to the public Web server so that they can post press releases. They may well get it, without any training or warnings as to risk.
At the other end, security may seriously affect productivity. Not so long ago, the senior IT man in a national-scale company told me - with pride - that he had tightened the corporate e-mail policy so much that huge numbers of e-mails were quarantined (not delivered) because of users' "questionable" choice of wording.
The really shocking thing is that you often find these approaches operating side by side. While one technical arm locks the business to the ground, another exposes it to unacceptable risk. The problem here is failure to appreciate that information security is a business issue with technical facets, rather than a purely technical issue.
At the Information Security Solutions Europe conference this year a leading security professional said, "If a new technology is released, of course you will buy it, because if you do not and something subsequently goes wrong your job is at stake."
Similar statements have been made at nearly every security conference and meeting I have attended this year. I find, when talking to senior IT staff, that they are generally scared stiff of the slightest suggestion that they are not doing everything perfectly.
No one wants an objective audit. No one wants to admit that their systems or procedures may need to be revised. Everyone is just hoping and praying that nothing will happen to draw attention to them. And their fear is probably justified, particularly in the current economic climate.
Information security is about minimising risk - if the people who are supposed to secure your business are constantly distracted by worries about whether they will lose their jobs if something is seen to go wrong, there is a serious conflict of interest. This will inevitably lead to ineffic-iency and, at worst, cover-ups.
It may seem satisfying to crucify a culprit, but it never really solves your problem.
The bottom line is that "stick-on security" does not work. However much you have spent on security hardware and software, bad business practices will thwart your efforts. The best you will achieve is a false sense of security that will not hold up under stress.
Mike Barwise is an independent security consultant