In previous columns I talked about two types of employees, contractors, and the like who could cause your organization harm through poor security practices resulting in loss of data, money, or trade secrets, etc. The first type were people who caused such losses inadvertently through security policy violations such as taking unencrypted medical records home on a lap top or memory stick and losing it. The second type was someone who intentionally stole such valuable data or caused a denial of service which in both cases had potentially significant cost to your company in terms money, lost business, or management time lost to litigation. But there is a third type individual who could cause these undesirable losses to your company and they are almost always employees.
Who are they?
So who are these people? Generally, they are the most powerful or influential people in your company who often are higher up in the corporate hierarchy than the security department. They could be the CEO, the CFO, the head of marketing, or the powerful heads of profit centers. So what do they do and why do they do it?
What do they do?
First, the what. They demand new or modified applications that open up serious security flaws, either by web enabling legacy applications that were never designed with security in mind beyond authenticating a user which is, of course, anyone with a web browser. A very good example of this has occurred in the electric power industry whose systems are controlled by a technology called SCDADA (System Control and Data Acquisition). SCADA was intended for use in closed company system and so has little built in security. However, over time, SCADA systems have been opened to the internet which poses a significant threat to the nation’s grid systems. Alternatively, they may demand new applications such as Web 2.0 Mash-ups, or Voice Over IP (VOIP) to name a couple. These applications are inherently insecure as any review of the security literature will reveal. Not only are they insecure, but they are exceedingly difficult to provide with an acceptable degree of security. Now, if the security department is performing its role, the people demanding these applications would be aware of the security issues. But in many cases, the security people are not high up enough in the organization to be heard, or even if they are, there message is ignored.
Why do they do it?
Now the Why. In a word – money. These new applications are seen as increasing revenue or reducing operating costs by opening up applications to the web. In addition, they may be seen to enable the business to become more nimble. Finally, they may be needed because the competition has such applications or the customers are demanding them. Because of the perceived financial gain, the executives will turn a blind eye to the security implications of these applications, or simply say “You’re the security department, fix it.”
What do we do?
So in the end, the security people try to make the best of it by finding security solutions that address the most serious of the security exposures and simply accept the rest. So how do we reduce “Security Blindness?” The best way is to achieve a position in the organization where the executive requesting these applications has to accept the residual risk (in writing) rather than the security group.