It might be the hardest battle you will face as a security professional. It might cause the most grief, frustration, and exasperation. No, it’s not trying to make sure all your Windows servers perform smoothly. It’s not trying to fend off the dozen vendor calls that come in every day. It’s not even an entire weekend wasted because of some unknown glitch caused by someone else that brings down critical systems. And it’s not quite the often futile attempts to deter the insider attacks.
Quite possibly the hardest battle we will face is the battle to change the culture of a business from one that trusts everyone, particularly those “in the family,” to one that practices diligent security. Ever try to tell your Help Desk personnel that they should not ask for user passwords when doing some work over the user’s lunch hour so as not to disrupt their normal work day? Those same desktop people who typically are evaluated based on their customer service to those users? I’ve been in those shoes and I fully empathize. As a support person, you want to be able to bend over backwards if an important user needs you to; not to give a look of regret and explain that “security process” is tying their hands a bit and inconveniencing everyone.
Have you ever seen the look on senior management’s and human resources’ faces when you tell them they need to operate in a way where they don’t necessarily trust their own people? There’s not much more they brush off quite so quickly and easily than claims that their own people may be a threat, even an accidental one.
This battle can be easy in some compan…no. It can be easy in some organizational cultures. The military has ingrained security process very deeply. Larger corps are also a bit more successful in steering culture, especially those that might have real reason to hide things (think Boeing, Lockheed, or Microsoft, e.g.).
But the rest of us…yeah, the rest of us someday have to face those cultural battles where we should not be handing over passwords or being accomodating to persons whose username we may have seen but have never yet met when they ask for something beyond their typically level of access. Is this a new direction for the company that her department is shifting a bit and we have to compensate, or is this an attempt to get access to something she shouldn’t have? If we ask the manager to verify and/or authorize, will they just take the path of least resistance and kneejerk a “yeah sure, I approve” response? What kind of look do you get when you explain that perhaps their manager and then the data owner both need to approve access? Is it acceptance or a flash of genuine annoyance that you know will be spread around to anyone willing to hear?
And these are not things that are easily overcome with training and used education. It is one thing to educate a user about something they didn’t know previously and are open and receptive to the information. But it is another side of training altogether to tackle culture and paradigm shifts. This typically takes a lot of time and a lot of repeated training towards this aim (or just force it with technology and a big clue banana).
I admit, some places in this country might be easier to adjust attitude than Des Moines, Iowa where I live and work. We’re still a very open community and trust and customer service are pretty natural. Even “trust but verify” is a difficult adjustment. When does the line get crossed between being a helpful steward to a company versus practicing a dangerous habit?
Just like a courteous security guard who tends to recognize faces regularly, all it takes is one person out of 10,000 who walk by in a year to bury the company or disclose information that emboldens a competitor, jeopardizes a nation, and affects the livelihoods of your fellow workers. Just one person that is allowed to pass because he looks familiar (he was fired last week against his will), is dressed like a VIP, and looks like he’ll pin your manager’s ass to the wall if you inconvenience him, can be The One.
While my team has yet to convey a culture shift in the people that matter when it comes to security and customer service, at least we are still trying. We continue to implement technology to not only help cover the company’s ass in case our paranoia becomes reality, but we also try to maintain a foundation that if the direction of mgmt changes, we can quickly adjust and add on security as our openings allow.
(This post was partially inspired by Scott Wright’s recent post about the insider threat.)