Thursday, February 22, 2007

IT Security in an imperfect world

Andy has a good article on basic IT security.

He hits on some of the pain-points of being an IT professional with a security focus – especially for those of us dealing with small to mid-sized clients/organizations. So he talks about things like… Management reverting to a “let’s make this easy” approach, as well as some other common items like… Open Access Points, firewall holes, local administrator access on end-user systems… you get the point.

Andy sounds like he is the security admin for a mid-sized organization, so his approach will be rightfully different than mind. But I thought it was interesting nonetheless.

Let me first say that I understand where Andy’s coming from. A few years ago, I worked for a larger organization. And I, much like Andy, was/am very security minded. Since then though I’ve had had the opportunity to work with many organizations of varying sizes and mind-sets, and over time, I’ve refined my approach for the clients that I serve.

Instead of just looking at problems and finding solutions (tactical approach), I took couple of steps back and started approaching things a differently. What I’ve come to see is that there is no ideal situation from an IT and/or security standpoint, and there are a lot of reasons (or excuses, your choice) for the way things are… maybe it’s management’s approach, maybe it’s the technical staff, maybe it’s the budget… it may be a lot of different things. But instead of hammering on everyone to clean-up islands of problems, I started to take a different approach.

Find the answers to these four questions and it will improve your life, and career.

  • Is there a corporate IT vision, and/or strategy?
  • Where’s the plan?
  • Are we measuring against expectations set in the plan?
  • Is anyone accountable for anything?

If you can find the answers to these questions, you can probably get to the root cause pretty quickly. Take the emphasis off of tactics and figure out the direction of the ship. In my experience, the ship has often has no direction, so it might be your job it to set it on course. Or, if there is a direction and your job isn’t to set the course, then you have a few options… either execute against the existing vision/strategy, move into a position where you can set the strategy, or get out of Dodge.

Stop worrying about the legion of developers running as local admins with Visual Studio 2005 installed (hey, they all pretty-much need to be local admins anyway under XP, just ask Microsoft). Or maybe you’ve got a client who has cash-flow issues, and just simply wants to get though today. Or maybe you’re dealing with an old, large, slow-moving organization that has so much bureaucracy that it takes 30-days for a server-build to get approved.

In short, figure-out what the situation is, and get a plan together. Then either get moving, or move-on.

1 comment:

Andy, ITGuy said...

You are correct in your assessment that I am the security admin for my organization. Our problem is that we have not set the course fully as of yet. We are in that process and it is painful at times. Especially when you are facing a group that often doesn't understand security and doesn't like the road blocks that it can put up. That is where my job changes from admin to marketing. I have to help them understand what security is and why we need it. Then I can go back to admin and develop the appropriate solution.

Thanks for the mention in your post. Good thoughts.