Business Resiliency

Who is to Blame? Defining Roles within IT Security

By John McDonald July 22, 2014

I was having a beer with a friend of mine recently – he’s a security analyst at a company that has experienced a data breach – and he was telling me about the ‘witch hunt’ going on in his company to find someone to hold responsible for the breach. That got me thinking about the whole concept of authority vs. responsibility in IT security. First, let me state that, in my opinion, the criminals that carry out the attacks are the ones that are ultimately responsible – the organizations being attacked are the victims. Unfortunately, as with many enlightened societies, we tend to assume that criminal activities are inevitable and that individuals and companies should take ‘reasonable precautions’ to prevent such crimes. However, that begs the question of what’s considered reasonable? On February 5 this year, FTC commissioner Maureen Ohlhausen said the FTC expects companies ‘to take reasonable precautions’ against data breaches but won’t provide a safe harbor that would indemnify them altogether from enforcement actions. Like the gas can manufacturer that was successfully sued because they didn’t include a large print warning not to pour gas from their cans directly onto a burning fire, we tend to hold the most accessible person or company with the deepest pockets responsible when something illegal (or just plain stupid) occurs.

7 22 14 John Image 1

So how does this impact IT Security professionals? One of the biggest gaps I’ve found while performing security program assessments for customers is the almost universal lack of clearly defined responsibilities and authority for IT security. The CSO/CISO is given a budget like everyone else and is typically expected to first apply that budget to meeting compliance requirements defined by various government and industry regulations, with the leftovers being used for the usual suspects of security tools. What they typically lack is the authority to drive any real improvements in IT infrastructures that are typically fragmented and undocumented, business users that can do pretty much anything they want to in the name of ‘supporting the business’ and privileged groups within the company that are supposedly savvy enough to take care of their own security. And yet when a penetration or data breach does occur the first group everyone points to is the IT Security team.

What’s a security professional to do? Trying to change the culture of an entire organization to be more security friendly is typically akin to tilting at windmills – it’s a great way to suck up time until retirement but it’s probably not going to be very fruitful. Here’s what to do:

  1. Work with upper management, the IT team and business teams to more clearly define roles, responsibilities and authority
  2. Identify potential use cases, including the different ways penetrations and breaches could occur, what the attack vectors are, what assets would/could be impacted, what the response process would look like, etc.
  3. Identify all of the associated assets (e.g. systems, applications, personnel, etc.) and who’s has responsibility and authority for each.
  4. Security team would then work with each asset owner to define and document who can or should do what in the event of an attack.

While this may be a somewhat complex and dynamic process in most larger environments, it has the advantage of getting Security, IT and management talking and generates awareness of the need to have clearly defined responsibilities and authority.

7 22 14 John Image 2Structured risk program can also help raise awareness. By identifying, documenting
and quantifying the potential impact of the organization’s current security strengths and limitations the security team can provide management with a clear monetary understanding of what a breach could cost, and let management make the decision of whether or not they’re comfortable with it. The security team should be prepared with a list of potential projects that could be used to lower the level of risk, along with their associated cost and level of risk reduction. Management can then take ownership for deciding how much risk they’re comfortable with and how much they’re willing to spend on risk reduction.

Both of these activities can help a security team increase awareness of exactly how roles, responsibilities, authority and spending will potentially impact the probability of a penetration or breach occurring, and while being able to say ‘I told you so’ after a breach may not necessarily improve your career prospects, the resulting improvements in security can go a long way minimizing the chance of a breach occurring in the first place.

About John McDonald


John McDonald is a Senior Architect in EMC's Trust Solutions Group, where he is responsible for developing and communicating trust-based solutions that encompass all of EMC's, RSA's and VMware's products. He has over 30 years of experience in the IT industry in general and IT Security in particular, and has worked extensively as a consultant, developer and evangelist across all industries and virtually all major areas of IT and security technology. He has spoken at dozens of industry and vendor IT and Security events, and has written over 20 whitepapers for EMC and RSA. John is also a CISSP and has held certifications in several other areas, including disaster recovery, Microsoft technology and project management.

Read More

Share this Story
Join the Conversation

Our Team becomes stronger with every person who adds to the conversation. So please join the conversation. Comment on our posts and share!

Leave a Reply

Your email address will not be published. Required fields are marked *