Tag Archives: information security programs

A Program in a Program in a Program

2 May 2015

In the past weeks I did a lot security assessments for complex applications. I always use the Socratic Method – i.e. dialogues in small groups with subject matter experts (SME) and support from infrastructure specialists where required. No rocket science! The only but important thing new is, that we look at the applications from the malicious insider’s view.

And, for sure we do a 360-degree assessment which includes

  • People, Processes, Technology,
  • Servers, Middleware, Databases,
  • Interfaces to other Applications and to Infrastructure systems.

Our talks were very fruitful. And it was amazing to see, how fast people have become familiar to the malicious insider’s view.

When it comes to secure operation of databases lots of experts from various disciplines are involved because the database is a complex application for itself. Hardening of a database without hardening the underlying operating system, the application and the middleware makes no sense. Security standards have to be defined and implemented for servers, databases and application components to achieve a good overall security level. Moreover security standards must undergo continuous development because the threat situation is fast developing.

Thus an application security program comprises nested programs for the building blocks of applications.

For each building block security baselines have to be defined in interdisciplinary teams.

In addition a team of innovators is required for continuous development of the baselines.

And a knowledge management team to make sure that all teams share their knowledge of threats, lessons learned from major data breaches and mitigation best practice.

In particular knowledge management is the one of the weak points of many security programs…

Have a good weekend!

The human factor a key challenge to information security!

11 December 2014

I returned from a business trip to Berlin yesterday in the late evening. In the morning I presented the results of the threat analysis of a complex application, which we performed in the past weeks, to the application steward. To be honest, I am not fully satisfied with the outcome, although we agreed in a lot of protection packages to secure the database and the application layer. Some of the weak points, e.g. the access from the users to the application server and the distribution of the software to the user Workstations, are still not sufficiently mitigated.

Later in the afternoon I found an email titled ‘The human factor a key challenge to information security, say experts’ in my inbox.

The key message of the study discussed in this report is:

“People will always be the most vulnerable part of any organisation’s information security, because people make mistakes and they are easily manipulated.”

Yes, I fully agree! But software suppliers, who deliver bad configured software, and business leaders, who constantly run IT cost-reduction programs, contribute also substantially to this security problems.

People who use complex software to run complex business processes create more help-desk calls and support effort than people who use office applications only. But cost cutting programs are not aware of this trivial insight. From a pure economic point of view such applications does not exists, although they may contribute substantially to the success of a company.

IT groups are doing a great job in automation of support processes to deliver fast and high quality support to their users. Unfortunately, security suffers under cost pressure. If the number of complaints of e.g. low performance of an application is large enough IT groups are far too ready to define exceptions from security standards. But exactly this self-made vulnerabilities could be used by attackers to get access to the computers in a company…

Sony is everywhere!

Why IT security programs fail

 31 July 2014

If it is about IT security, business people have every confidence in the ability of IT departments that they do the right and important things. To be honest, sometimes I have the feeling, that they do not want to be involved in this security stuff.

‘Just let the nerds add some new high sophisticated technology – and all will end well.’ But, please without any impact on our daily work and to low additional costs.

This ‘not involved here’ syndrome is the main reason why information security programs fail. And, combined with blind trust in technology, things could end worse.

Some weeks ago I read a remarkable statement in post ‘Security Think Tank: Consider security Training before high-end technology’ by Mike Gillespie:

Encryption is not the solution to security, it is part of the solution and always has been. So an employee who does not realise that their device is encrypted basically when it is switched off, may still have very poor security habits, such as leaving a laptop logged on with the lid down, thinking the data is secure because it is magically encrypted.

If Mike Gillespie had one more Dollar to spent in IT, I bet, he would invest this Dollar into security awareness Training.

We need change!

We need Change!

To ensure sustainability, it is very important to get people involved in these IT security topics. As Benjamin Franklin once said: ‘Tell me and I forget. Teach me and I may remember. Involve me and I learn’. Thus, to increase the likelihood of success, IT security programs should always be embedded in a change process.

But Management buy-in comes first! Why?

To stay in the market, with a well respected brand and competitive products, is definitely part of every company’s business strategy. IT is just an enabler for business strategy. IT supports the business groups in protecting the important digital assets and the intellectual property of a company.

Therefore, IT cannot be the driver for a security program. Business must take the initiative and start and manage the program to ensure sustainable change in IT security awareness and behaviour. If a C-level manager could be won as program sponsor, it is very likely that the program’s targets are met.

It’s all about leadership! And Change.