Should you allow exceptions to an information security policy ?

Once upon a time when information security did not figure in the priorities of the IT Head (the era before the CIO title came into vogue), the company took upon itself to protect sensitive information that if leaked would be detrimental to the image and reputation. The internet was beginning to spread its wings reaching out to residential customers, the browser wars had just begun, electronic commerce was yet to reach irrational valuations, and information leakage or protection was not on the radar of many enterprises.

There were no USB connectors or drives, internet connections were rationed and capacity low, email the primary mode of information dissemination apart from paper. Separation of Information Security & Risk into an independent entity was a big pioneering step forward. The new team started with creation of dos and don’ts for users that culminated into a set of policies. In a hierarchical world moving up the ladder, the stringent policies became liberal as you look upwards for the convenience of senior executives.

Then came the noise and requests for exceptions citing business need and impact with the newly imposed controls; function heads authorized the leniency thereby rendering policies significantly compromised in intent and execution. New threats that were perceived to be largely external were intercepted and addressed, internal exceptions however stayed and continued to grow. Companies worked on an acceptable risk internally and with high levels of trust with senior executives to guard the family jewels.

Fast forward to the current world of heightened awareness and impact from information leakage and cyber threats, is the scenario any different ? Sampling across companies in a cross section of size, industries and geographies indicate that the information security function now exists in a majority of enterprises, reporting into the CIO who has also taken on the mantle to protect the information assets. High maturity and regulated companies have given security independent charge to the CISO accountable to the CEO/Board.

Policies have become stringent, implementation rigor higher and with the availability of a plethora of tools, the ability to monitor better. The industry has continued to disrupt available solutions with newer, faster, better, cheaper, painting a scarier picture forcing adoption driven by FUD. Social engineering has evolved to new levels with multitude of avenues reaching out to the gullible and the stupid who are willing to give away everything including personal records that compromise corporate and individual assets.

Most policies are cookie cutter approaches with standard templates from the consulting companies with some variance by industry; many of them have statements that put at risk the enterprise and the policy itself. The implementation too is outsourced to IT companies who provide out of the box solutions at times with no alignment to industry specifics. Compliance continues to drive policy creation and intent: to pass the statutory audit, to ensure that customer audits do not show non-compliance, to help justify budgets for information security.

Leaving aside an exceptional case of incompetency at the senior management level within an enterprise, today the awareness and intent to protect information assets of the company is genuine enough to put pressure on IT and Information Security professionals. Auditors and regulators have also gained adequate expertise to go beyond the superficial reports, dashboards or compliance statements. They are better equipped and have raised the bar for owners, entrepreneurs, management and the Board.

ISO and other standards based practices and certifications are mainstream, the cost of information leaks can now be measured in fiscal terms; wordsmithing to crisply document and disseminate the policies with no room for ambiguity or misinterpretation has become the baseline expectation. No exception is the new rule; need to deviate ? Change the policy instead, create grades and boundaries for execution. It makes life so much easier rather than to explain why an exception was granted and how was it managed.

Staying compliant is mandatory, protecting information is necessary, educating stakeholders is a starting point; take steps before a crisis emerges. Make sure policies are easily understood in intent and execution; have employees sign off acceptable use policies that define the boundaries; reinforce with frequent communication; assess, audit and publish results irrespective of status, success or opportunities to improve; stay connected to innovators and peers in the industry to benchmark your effort and stay safe.

But whatever you do or don’t, please don’t create exceptions to any policy !

We have been hacked !

Not too long ago I had this interesting encounter with a CIO in a highly agitated state talking to someone on the phone while pacing the corridor of a hotel. He looked up to acknowledge my presence and continued the tirade, his face changing shades of red I never thought possible. I waited for him to complete his conversation (more of a monologue) and then asked him the reason for his state of mind. He stated that the information security of his company had been compromised and he was still discovering the extent of damage.

Information security has always been one of those investments that are like an insurance policy every organization takes to protect them. The number of threats has been going up since the internet became intertwined into the enterprise fabric; with the complexity increasing and external attacks rising in sophistication, solutions have evolved attempting to stay abreast of the game. Security budgets have been rising steadily and so have been instances of successful breaches to companies big and small.

In the older days of IT deployments, basic anti-virus was deemed adequate; today they encompass almost every device and mode of communication used by enterprises, partners, vendors, and the corporate road warrior. Even manufacturing process controls and industrial equipment were targets of some attacks which left many companies and governments struggling. Every day we hear of new data compromises, phone taps, social media sharing agreements leaving individuals and their shares exposed to the world.

Using surveys and incidents everyone talks about a majority of the threats being internal attributable to recalcitrant employees or contractors; many have also been victims of social engineering that coerced sensitive information from gullible staff. Thus building moats around the castle largely served as preventive measures for the external snooper. Despite this the industry feasting on the FUD (Fear, Uncertainty, Doubt) factor, has continued to corner the hapless CISO and CIO to make significant investments though not without reason as highlighted by many attacks and data leaks.

Based on identified security measures and advice from vendors and partners and in conjunction with his business leaders, my CIO friend had put in all the available technology at his disposal; audits and other exercises had declared his enterprise to be secure. He had also followed all the good practices and undertaken the path towards popular security certification. Despite all this his fortress had been breached and he was now at the receiving end to justify why all the heavy artillery could not secure the company.

The extent of damage was not too high with a few noncritical servers being breached, but they raised an alarm internally. The CIO in damage control mode had to address the issues it raised. A systemic exercise and root cause investigation revealed that these servers were adequately protected with all the controls that the security team had put in place. The breach was discovered to a compromised password which had been gained using social means. The hapless user who knew no different had shared his credentials.

All the policies, processes and technology were no match for the human frailness which exposed the company. My friend controlled the damage as much as he could and was wondering how to prevent recurrence of such an attack in the future. His training courses and promotional material to all the employees talked about refraining from such behavior; the hackers obviously wielded higher convincing powers. As frustration poured out on sympathetic shoulders, I could only offer him words.

When information security gets compromised, what should companies do ? Whether it happens due to ignorance inside or brute force from the outside, any breach can impact company credibility, image, and customers. The resultant impact is dependent on the industry, size and position in the market. I believe that CIOs and CISOs should build in steps on internal and external communication which should be executed without fail. Damage control is as important as the technology solution; after all, the weakest link in the chain is human.

(IT) Security and the CIO

Last month, many CIOs (including me) were subject to a barrage of security events—as if the world suddenly needed a lot more protection than it had in the past! CEOs, senior vice presidents and thought leaders suddenly seem to have descended upon the CIO, challenging the security postures of enterprises.

Questions challenging the efficacy of currently deployed solutions were very similar across almost all vendors. Many data points from a multitude of surveys were bandied around in an attempt to make CIOs succumb to the FUD (fear, uncertainty, and doubt) factor.

A typical session begins with “Top 5 technology priorities”, and since the presentation was being made by security vendors, IT security figured prominently in these lists. To the hapless CIO, statistics reveal a scary world full of crackers and nefarious elements (who want to take away customer data, send spam, phish users, attack end computing devices, and sniff network traffic). It did not matter if the audience agrees with these or not. Irrespective of whether the displayed data is from the same geography or industry, the ground is set for discourses on why your enterprise is not secure if it hasn’t deployed the specific vendors’ solutions.

Almost all cases are built upon the premise that data is only stored electronically, and leakage can only happen in electronic forms. The exercise of data classification is touted as the starting point—except that beyond a point, this classification becomes irrelevant, as the imposed controls make conducting business a painful task. Mobile workers appear as the villains who will lose a laptop or connect to unsecured wireless networks compromising valuable data.

Yet another cry is a ban on social media. This does not acknowledge the fact that business also uses these channels for connecting with customers. The mantra is “you cannot trust these gullible ignorant employees, they are the weakest link”.

Yes, people are indeed the weakest link in security compromises; but they can also be the strongest. The biggest tenet of any business operation is trust. If the enterprise cannot trust its employees to be prudent in their usage of various communication modes or protect the data that matters, then I don’t believe that a technology solution is the answer.

Information security can be effective with help of education, continuous reinforcement by the management, a “zero tolerance” policy towards adverse incidents, periodic reviews, and finally the technology stack which is dependent on the business operations. Exception management is fraught with danger, and should be aggressively discouraged. Many mature organizations have found that making an example of truant employees enhances levels of security, and builds trust with customers in the long run. Attempts to hush such cases, or not taking strict action which may already be defined in the policy sends a message of tolerance, which can significantly compromise the enterprise.

Vendors need to listen as they engage (see Irrelevance of vendor presentations) the CIO in discussions on how they can help their customers in sustaining and improving their information security postures. This has to be based on an assessment, and not based on inane survey data that may be far removed from reality for the audience. Else, they face the risk of alienation from their prime customer, the CIO.