How Does YOUR IT Guy Respond to a Security Audit?
Just last week I was interacting with four organizations regarding significant information security vulnerabilities I had identified. Each had a dramatically different reaction to the news that they had issues to deal with. It reminded me of the Jewish Passover Seder (ritual feast), during which the participants discuss, in elevated language, “Four Children” – the wise, the wicked, the simple, and the one who does not know to ask. So, here are the Four IT Guys:
The Wise IT Guy
The Wise IT Guy is thankful for having a skilled resource helping assess his systems and is instantly attentive when he finds out he has a vulnerability to address. He is not defensive – he knows that even the biggest companies with the most resources have security vulnerabilities and, at some point, his organization will too.
The Wise IT Guy asks, “What are the vulnerability vectors and what are the best ways to defend against the problem?” And you shall answer the Wise IT Guy thoroughly, carefully describing all of the best practices and methods of deployment.
And the Wise IT Guy will use commercially reasonable best efforts to address the vulnerability, seeking it out throughout his organization and creating a plan, balancing the need for speedy remediation with the requirements of proper testing and deployment practices, including post-deployment testing.
The Wicked IT Guy
The Wicked IT Guy is against having anyone look at his systems in the first place, putting the audit off as long as he can, and placing his own fear and/or arrogance ahead of the good of the organization. He doesn’t take the vulnerability seriously and thinks he knows better than security specialists – he hasn’t been hacked yet, right? He knows he can baffle his CEO with BS and maybe talk his way out of dealing with the vulnerability.
The Wicked IT Guy responds to the news of the vulnerability: “What is this vulnerability to you? How likely are we to be affected by it? Will taking the steps you recommend make us perfectly secure?” In asking these questions, the Wicked IT Guy is isolating himself from well-known security best practices. Rather than taking the simple steps to address a vulnerability, he would rather spend that time rationalizing his own inaction. There’s no such thing as “perfectly secure,” but at home the Wicked IT Guy still locks his door on the way out – he just won’t take the obvious and simple steps to protect his organization.
Therefore, he must be rebuked with the explanation that, “These recommendations are made so you can comply with your organization’s information security policy.” By referring to the company’s policy, one is none-too-subtly letting him know that information security is about more than “IT”, and if he flouts it, he might find himself dealing, in his last meeting as an employee, with another two-lettered department, “HR.”
The Simple IT Guy
The Simple IT Guy asks, “What is this vulnerability?” and you shall carefully explain the steps to remediate the issue, offering to have calls with the vendors and contractors he will no doubt need to get his systems out of trouble. The Simple IT Guy usually means well, but will then sit, perhaps transfixed by the blinking lights on his computer, and do nothing. The Simple IT Guy will worry about the issue once in a while but not take action. Sometimes the Simple IT Guy has some smarts but does not understand how to balance information security with his other responsibilities. Either way, the CEO will usually need to be re-engaged regularly to make sure progress is being made to address the vulnerability. Unless the CEO is forceful about getting it fixed and engages help for his Simple IT Guy, the problem will likely persist.
The IT Guy Who Does Not Know to Ask
So far we have seen the Wise IT Guy who is both intelligent and pious about his security responsibilities, the Wicked IT Guy who is intelligent, but, let us say, impious or unwise about organizational security, and the Simple IT Guy – who means well, but lacks the capacity to manage all the technology with which he is entrusted. The IT Guy Who Does Not Know to Ask for help with information security is both unintelligent and foolish. He doesn’t understand the need for assessment and has neither the interest in nor the capacity to respond to security vulnerabilities when they are identified. This IT Guy is all about letting the issue drop – he hopes your first email on the subject will be your last, and that his luck in not getting hacked – or no one finding out about it –holds up. As with the Simple IT Guy, the issues will require thorough explanation of the vulnerability, but you may need to get his CEO to impress his duties on him in order to overcome his foolish nature – otherwise security vulnerabilities will surely persist.
So, as for The IT Guy Who Does Not Know to Ask, you shall say unto his CEO, “This is what your IT Guy needs to do for you in order that you may be more secure. And we must review progress regularly to ensure this is done.”
Working Toward Redemption
An organizational approach to information security is not rocket science – most of it isn’t even computer science. It starts with management making the commitment to best practices and engaging in assessment (auditing) and re-assessment. When I conduct an audit, I’m probably going to find issues. That’s normal, and it doesn’t make me lose any respect for the organization being audited or its employees. Where I do lose respect for some people, especially IT people, is when their response to the prospect of an audit or the results of the audit is poor and does not serve their organization well. As organizations, it is management’s responsibility to keep a watchful eye and, besides paying attention to the non-technical aspects of information security, make sure that The Wise IT Guy is on staff. If not, that liability must be mitigated in some way so that the organization is taking reasonable steps toward good information security practices.