Pressure to Back Down on Web Security Policies
I noticed a news item yesterday that stated that in response to a recent survey, 86 percent of IT managers indicated that they have been pressured to back down on Web security policies. The survey indicated that the pressure came from senior management as well as marketing and sales staff. Almost half of the respondents reported that employees ignore security policies to gain access to services such as Facebook and Twitter, and more than half said that their organizations did not have a way to find malware or to resist URL redirect attacks.
How could this happen? I suspect that there are at least three fundamental causes:
- As we all know, current economic times are very difficult. When new security initiatives are being introduced, profit-starved executives are much more likely than normal to take a gamble on a new, potentially very profitable initiative, despite the fact that it imposes serious information security risks.
- IT security professionals have still not “made the sale” to senior management concerning the value of information security. I have written about this problem several times in some of my previous blog postings, so I will not belabor the point here.
- Information security too often resides within IT. Although IT is a vital and essential function within organizations, it almost always is beset with a myriad of problems. It seldom delivers what is really needed, and what it actually delivers is also almost without exception the byproduct of nasty politics and chest-beating cowboys who claim they (and only they) have the answer for everything. Any IT security function is thus doomed to fall far short of its potential because of its being in the IT function within the organization. It would thus be far better if the information security function were within the finance (or possibly the operations) arena.
- Security training and awareness efforts within a large proportion of organizations are marginal—in too many cases, they are non-existent. Unfortunately, with the current economic crisis, information security training and awareness is too often the first line item to be chopped from budgets. Powers-that-be blatantly ignore the Gartner Group’s advice that security training and awareness produces the most favorable return on investment of all controls in the information security arena.
You get what you pay for. If you invest in security, you will reap big rewards (although they might not immediately materialize). Failing to consider security ultimately leads to sordid outcomes. Just consider TJX and Heartland Payment Systems. Pressuring IT managers to back down on Web and other security issues is thus extremely unwise. Failing to use anti-malware tools is just plain everyday stupid. Unfortunately, when almost every employee in the workforce today must carefully watch every step to avoid being singled out and ultimately laid off or fired, standing up to the pressure is suicide. The only thing IT managers will be able to do is to say “I told you so” when the inevitable security breaches occur sooner or later.