Your Security Problem Isn't Technical, It's Personal

I remember the meeting well. The CSO looked at me across the table and said, "Help. What can you do to fix this?" My response was one which our sales rep is probably still thinking about today: "Well, I'm not sure I can do anything to help. You don't have a technology problem." As a security expert brought in to seal the deal, I knew there was a deeper issue we needed to address before we could begin to think about applying our solutions.

Most companies these days have begun moving some of their infrastructure or services to the cloud. Company X was no exception, but with one big difference. They had decided to go "all in"; they were a 100% cloud-based enterprise. Many would say this is the holy grail of cloud strategy, but for this CSO, it was evolving into an ever-growing fog of fear and unknown.

Businesses within Company X realized that if they wanted to begin using a new cloud technology, they just needed a credit card or an expense account. Voila! Bill just created an account on a stock image site. Jan just migrated her team to a cloud-based project management solution. Imagine the money Company X was saving by not having the infrastructure of these systems on-premises. Consider the agility that Company X granted the business with security not "getting in the way." Now consider why the CSO was losing sleep.

"I have no idea who has access to what. Do ex-employees still have access? Are our critical engineering designs leaking to competitors? I know I'll fail an audit. I basically have no control."

I began to think of the questions I should ask that would help discover the essential combination of technology to create the perfect solution. But I paused and began to ask questions that had no bearing on technology whatsoever... The quizzical look across the table told me that my customer was curious where I was going with this. The questions I was asking were about how the business was run at Company X and how this CSO saw his role in the company. I was trying to discover their security culture.

While security cultures exist on a spectrum, most CSOs who feel they have lost control come from one of two cultures I dub "The Bullies" and "The Elephant in the Room." Let's break them down.

The bullies
In a past life, I was sure our security team did not have our best interests in mind. For example, as a development team, we did what most developers do sometimes a hundred times a day -- we compiled our code. Our development environments were pretty powerful though -- a typical build of a large application would normally take no longer than 30 seconds. That is, until security did their "dirty work."

After an indiscriminate deployment of a new virus scanning solution, one which scanned every file that was touched during a compile, our build times went from 30 seconds to five minutes. We tried to work with security by suggesting a solution; we would create a predefined folder where our builds would execute and have that folder skipped by the virus scanner.

Request made. Request denied.

So the developers created a hack and simply went around the new security policy. Perhaps it was insecure, but the issue here was that security refused to compromise or understand our needs -- meaning there was little incentive for us to accommodate theirs.

In another example, I was contacted by our company's marketing employee responsible for social media. This person's job was to create social media buzz about our brand and events while reporting on the zeitgeist that surrounded our products and services. Suddenly, the security team implemented a policy blocking all social media sites from corporate desktops!

My colleague tried and failed to get approval to hit these sites and asked, "Do you think you can help write this email in a way where my request will be approved?" We spent about 30 minutes putting together a justification that actually included a solution to the problem: creating an Active Directory (AD) group for marketing and adjusting the firewall policy. Absolutely confident that the email was correct, we made the request. Request denied. So we created a hack that circumvented the policy and got this employee what he needed.

In both these scenarios, employees attempted to come to the table with solutions that worked in tandem with security, yet were not met in a similar spirit of compromise by the security team -- who were only intent on doing their job well, yet unfortunately showed no regard for how their policies were making it difficult for others to do their jobs well. As such, while the security bullies were doing their best to lock down the environment, the employees were constantly looking for loopholes and backdoors so they could keep their business agile and get around security roadblocks -- in turn defeating the purpose of these security policies in the first place.

Then there was the growth of "Shadow IT," where each business unit had their own self-appointed IT "expert" who developed apps in the cloud or in some off-the-shelf application, in effort to avoid even the simplest conversation with the security team. Yes, security did their best, but in the end, we were less secure than ever.

So, if this bully is the one who is always in your face and is making your job miserable, how would we explain the other end of the spectrum? To put it simply, the other end of the spectrum is closer to what Company X was experiencing: security was the "elephant in the room."

The elephant in the room
It wasn't hard to discover that my customer was the elephant in the room -- that awkward problem no one else wants to acknowledge exists. I asked, "When is the last time you had a meeting with the leaders from the other business units? What if you were to schedule a mandatory meeting with the VPs of all business units to discuss changes in security?" That question honestly elicited a chuckle.

At Company X, the move to the cloud had essentially relegated this IT security team to an afterthought or even irrelevance. But now more than ever, IT security cannot be seen as an afterthought: It must be seen as a prerequisite. Business planning meetings should have a representative to or from security and technical decisions should not be made without first making sure that those decisions are aligned with not only the company’s goals, but those of security too.

Why doesn't this happen more regularly? Because security teams are all too often seen as an inhibitor to the business, stifling its agility and ability to react to market forces that require speed. In other companies, security is simply seen as the team that manages the firewall or the team that makes me change my AD password every 3 months. Given all that, why would I ever need to invite them to a meeting? That's right, they're the elephant in the room.

A spectrum of cultures
Sure, the spectrum from bully to elephant is a broad one, but regardless of where you lie on this spectrum, ask yourself; are you a trusted ally of the business? Are your plans embraced or are your colleagues doing what they can to go around you when you aren’t looking.

Depending on the answer, you might discover that you don’t have a technology problem, you have a cultural problem.

In the next part of this article, we're going to move from recognizing the problem to finding solutions. And that's where things get even more exciting. Until then, I'm curious: Do you recognize your own organization in either of these scenarios? I'd be curious to hear your experience in the comments.

Related posts:

Joe Campbell is principal security advisor at identity and access management company One Identity. His professional career spans innovations for some of the world’s biggest companies, and he’s pioneered new, award-winning technologies in wireless, RFID, visualization, communications and telephony. As a trusted security advisor, his unmatched experience in security and software architecture makes him a highly respected leader in the technology industry.