In general, it is not a good idea to for security to prevent functionality, without providing an alternative means by which the business can get their work done.
As an example, under normal circumstances, the unavailability of a technology (or not providing a solution in the first place) by which to work when telecommuting or at home will likely lead to ‘shadow IT’ in the form of either utilising cloud based sharing solutions or personal email.
Business users will always find a way to perform the tasks they need to, regardless of the technical or procedural rules we put in place. However, in the case of the US Postal Service recently, if the suspicion is that a vulnerability in the VPN led to a breach of some , there is likely to be a wider acceptance of this short term measure ‘drastic times call for drastic measures’.
I don’t doubt however that since the internal directive was issued, workers are already finding ways to get things done from afar!
The cause of the breach at the US Postal Service has not yet been detailed, but one thing is for sure – it is likely to be a combination of people, process and technology failures. In this industry we often still suffer from “after the horse has bolted” type motivation to fix issues, we can but hope that in this particular case its the shock they need.
One of the important lessons that security functions have learnt over the last few years has not been about how to identify or prevent such activities but how to react when they do happen.
Something that I have been working on recently and something that I watched with interest is the way in which organisations externally address such breaches within the media. Organisations range from one end of the spectrum to the other; those that are quick to openly address their failures and the lessons learnt at one end, with those that bury their heads in the sand and pretend it hasn’t happened at the other.
In this day and age breaches are an inevitability not a possibility, and as security leaders we must get our heads out of the sand and prepare for that day to come. Work with those who are adept at external communications to craft messages conveying regret, but with a stout resolution to learn and grow from such events, committing to minimise the damage to customers or employees from this or any future breaches.
The benefit of swift and honest communication prior to any breach will not only benefit your organisation, but will resonate throughout the security industry. The times of pretending everything is 100 per cent secure are long gone: consumers, customers and employees are all beginning to realise this, let’s not insult their intelligence by refusing to the except the obvious.
Admit that these things happen and learn, grow and improve, but importantly never make the same mist
ake twice and always have the customer (whether internal or external) at the heart of everything you do.
Businesses and business functions that succeed generally do all of the above, why should security be any different?
Craig Goodwin is vice president of information security
