5 reasons you should know more about security
By Jason Helmick on February 23, 2016
While speaking at a conference recently, I posed a security-related question to the audience. The question seemed strange to many attendees, as my sessions don’t deal directly with security-related topics—but I wanted to see if these folks were thinking about security. So, I asked, “Who here is responsible for security at your company?”
The response, while unfortunate, was not surprising; just two or three people raised their hands. I smiled and followed up by asking everyone in the audience to raise their hands, and they did. "This is the correct answer to the question," I said. While many people smiled as if they were now part of an inside joke, several sat with thoughtful looks on their faces.
The point here is that it doesn’t matter whether or not you have the word "security" in your title, what matters is that you think and behave as if you did. One of the worst days an IT department can experience is the day your company is on the news. Not because of a scientific breakthrough, not for helping to feed the world, but for releasing your customers Personally Identifiable Information (PII)—like credit cards and social security numbers—to the world.
While you may not believe that you can make the difference, I’m here to tell you that you absolutely can. Let’s take a look at five big reasons why you should learn more about security and work closer with the people in your security department.
1. Security is everyone's responsibility
If you're an IT Admin, let me ask you an uncomfortable question: Do you know of any shared folders on your network where users have more permissions or privileges than is necessary to perform their job? Or, for that matter, any database, server or storage device where users have greater permissions than needed?
If you’re aware of this situation and have not taken action to have it corrected, you are knowingly permitting a vulnerability that can become an exploit to your company. I realize that nobody intentionally wants to do that, yet I hear people say things like:
- I'm not responsible for that product.
- We have a security team that will discover this problem.
- I have it on a list, but haven't had a chance to correct it.
Each of these can be addressed with the it’s-not-my-responsibility attitude. While it's not always easy, you should be contacting the security department and the group responsible for that product, and you should follow up on its correction. If everyone in IT had this as a priority in their job, imagine how improved the overall security posture of the company would become.
2. The best security is the security that’s applied
If you’re a product expert, you probably know more about that product, its security settings and vulnerabilities, than the security teams knows—so help them out. As an example, I'm a Microsoft Exchange expert and I know exactly how to harden a messaging server. From restricting IP addresses to applying proper permissions on public folders, I can lock it down. But the job doesn’t stop there. I give that configuration information to the security team and explain what exploits this reduces. They can help monitor to ensure these controls are effective and help alert me to new vulnerabilities that I may need to protect against. Working together we can elevate the security posture of the company.
3. Your company's 15 minutes of fame
Sony, Home Depot, the Federal Government and hundreds of other high profile banks, healthcare industries and businesses have ended up on CNN due to an incident. Many of these companies have highly trained security and IT ops teams working to prevent this from happening. So why does it still happen? It's usually a breakdown in process, such as Risk Management and Change Management. For example, if admins are changing the configuration of a server, and no one knows about it, then vulnerabilities are being created that aren't being analyzed and protected. This is why management processes should be part of the boardroom.
4. The boardroom needs help
Risk Management, Change management, Security assessment and response—you might be doing it all, but this is only successful as a top-down approach. The executive team must make decisions about the safety and welfare of its employees and customers regarding security. Often these decisions need to be considered with other obligations such as compliancy requirements that the business falls under.
It's important to work with the executive team, helping to gather these considerations together and forming a Risk Management strategy that combines vulnerability assessment, implementation and management of controls, and monitoring those controls. Change management is a critical piece, as unauthorized and unknown changes cause unknown vulnerabilities, opening the door to exploits.
Another blunder that the executive team needs help to address is proper information communication to the public in the event of an incident. Recently, a large company took several weeks to let customers know that there was a breach to credit card information. This deepened the loss of customer trust and has cost the company millions of dollars. Another company had a minor incident and no PII was compromised, but an employee posted on Facebook that the company had been hacked. Again, loss of customer trust and millions of dollars occurred. The solution? A communication plan involving the public, law enforcement and authorized spokespeople.
5. You can (and should) contribute
I believe that everyone, not just IT, can contribute to enhancing the security posture of their company. How to do it? Learn. Act. Teach.
- Learn: Learn more about security and the policies, procedures and risk management frameworks that can help harden your company. Learn more about the products you’re responsible for and the best way to secure them.
- Act: When you see something wrong, say something and follow up. The security team and others will appreciate the help.
- Teach: Help others learn the basics of thinking "secure." Even simple tasks like using complex passwords, removing print jobs from the printer and cleaning documents off your desk. The little things matter.
If we all get involved, we can all be heroes.