How to Make Things Worse With IT Security Technology
It’s an observation a lot of IT security practitioners are making of late: That companies are so obsessed about compliance and getting through a list of checkboxes that security technology is being haphazardly implemented — in ways that actually increase a company’s risk.
At the recent ShmooCon security conference in Washington D.C., CSO Senior Editor Bill Brenner asked Ontario-based CISO and security consultant James Arlen for examples of the problem. Here is what he has seen, and what — if anything — we can do about it.
There are a lot of tech-heavy talks going on at ShmooCon this year. As a CISO, what are your biggest technological concerns?
James Arlen: We need to be focusing more on the quality of security technology implementation. It’s no longer enough just to buy the thing; to have that technological doo-dad. When you get through all your PCI security checkmarks and get through your SAS70 requirements that’s great, but are you really getting the value that you’re supposed to be getting?
And you don’t see that happening?
Arlen: In a lot of cases there really is no way to get that value because of the implementation. You buy it, you turn it on, the red light is blinking and it’s making the peeping sound. But it’s not doing anything for you. You’re not getting any risk reduction. You’re not increasing your situational awareness. We need to find a way to get better at that stuff faster.
Given an example of where, in your business travels, you see this sort of problem unfolding.
Arlen: In my long, sordid history as a security consultant I see it all the time. You’d see these firewalls implemented with hugely long rule sets and all kinds of effort put into them. But then you go down to the bottom of those rule sets and discover that somebody slipped in an “any-any” rule because it would make testing easier or allow them to get something into production faster. So it’s an example of taking all this hard work you’ve done and undoing it in the name of expediency.
The flip side of that is that, in being a security operational person, you go out and get the tool, and you train one or more people to use it, and because the security industry is as fast paced as it is — fast paced being another way of saying “high turnover,” — you end up in a situation where three to six months down the line you’re in a position where you don’t have that practitioner excellence and you have a tool that has essentially been shelved because there’s no one who knows how to pick it up and use it.