One of the great ironies of IT is that so many IT and security departments are built on two basic falsities:
- The demands of the IT and security department are often greater than the funding allocated to execute them (ultimately a budget problem).
- The only people who can validate the success of the work are the IT staff tasked with performing it.
These two broken premises are at the root of our being our own worst security enemy. However, one will fail us worse than the other.
The first issue is solvable by rightsizing budgets and projects. Something that often takes time and experience to accomplish. However, the second will cost us more than simply the danger of being over or under a project’s budget. It creates vulnerabilities that the organization is completely unaware of.
The security dangers of self-evaluation
When IT staff are asked to execute all the many functions of IT, they are also tasked with the success of those functions. Therefore, if the same staff are ever asked if there are any concerns, they are almost always incentivized to downplay or deny those concerns or be seen as doing their jobs poorly. Because much of what IT does is “behind closed doors,” to most people in the organization, there are no natural checks and balances. For other departments, it is much more obvious – a marketing department who cannot execute a conference, a sales department that cannot land the clients, or a facilities department that cannot keep the AC on.
Let’s paint a picture. If the team responsible for physical security is allowing unauthorized people into a building or on a campus, there are tens, hundreds, or thousands of staff in all the other departments, witness the intruder, each able to raise a red flag. Because of this visibility and reporting when something goes wrong, it produces a natural incentive for the physical security team to not “get caught” or “be called out” for failing to do the job of keeping the facilities secure.
When the same thing happens in our computer systems, besides a dedicated SOC team, the only people that will likely be aware of the breach are the same IT staff who are held accountable for not letting the “bad” in. That is, no one will be aware until a catastrophic event happens.
Even if there is a security event, if caught soon enough, the IT team is incentivized by their circumstances to try and clean things up as quietly as possible, downplay the impact, or even outright ignore risks.
It is important to note – these people are not bad at their jobs. They are simply responding to the incentives given to them. Because of the self-evaluation model, there is no upside to transparency for them. Instead, organizations must create that upside to reduce operational and cybersecurity risks.
Key elements to stay on the ‘good side’
There are two key elements to making sure that we don’t accidentally put our own team on the side of the bad guys:
1. Build a healthy security culture in our organizations. Have dedicated security personnel, provide positive reinforcements and even rewards both inside and outside IT for communicating about risks, and provide an overall security awareness program that empowers everyone to be part of the solution.
2. Enlist the help of independent advisors and assessors. A full and effective risk assessment, vulnerability assessment or even systems audit can allow us to gather honest information about the state of our information technology without the awkwardness of asking IT staff to essentially evaluate themselves. But it goes beyond that. Because a good Security Advisor provides factual information without judgment, IT may actually get the evidence it needs to deliver solutions that best provide value to the whole company or organization without being lost in budget competition.
An outside check reveals the truth
Regardless of how you choose to build your security solutions, the special nature of IT’s invisibility should always be considered, as it inherently creates risk.
We are sometimes unwittingly providing the wrong incentives for our IT staff. But there is a solution: A mature approach to security awareness supported by third-party assessors so the organizations always hears the “need to know” details.
Want to know more about how risk assessments can help your security posture? Read our blog: What to Do After a Security Risk Assessment.