The Security Framework for Information Technology
Most of the damage to Information Technology (IT) security is not from outside malicious attacks, but rather from simple mistakes, unintended or unauthorized actions of legitimate users and IT engineers who are either untrained in security and/or who misunderstood the instructions from the management.
The two major issues mentioned replay themselves daily in the IT world. Part of the reason this is happening is a lack of common, proven practices and guidelines developed for IT professionals. Unlike the legal, financial, and medical fields, the IT field is still somewhat in its infancy. It has yet to develop the kind of respect from the business community that legal, financial, and medical professionals enjoy, despite the fact that IT professionals are increasingly tasked to handle and protect the core values of the organization—data and information that legal, financial, medical professionals, and management depended on.
There is no question how important the IT department is for any organization. So what are the issues when it comes to poor security in most IT operations? Here are the main issues that I see:
Management vs. System users vs. IT professionals
No one needs to tell a brain surgeon what procedures to follow to perform an operation. No one tells a Certified Public Accountant (CPA) how to conduct an audit for financial matters, and no one needs to ask an attorney to maintain attorney-client confidentiality during a trial. And yet, when it comes to IT security, management, system users, and IT professionals are often at odd as to what is the best course of action in response to a given security concern. The three groups almost always have their own ideas of how the security should function, when sometimes at least one, or two, or all three groups do not understand each other. Even worse still, sometimes they don’t understand the security issues involved or the remedies available. Management usually understands the high-level issues; users generally want convenience; and IT of course wants to please the first two while still doing their job. However, they all do not have a common framework to follow, and most do not have a common policy to follow. To make matters worse, everyone believes their way is the best, regardless of the real over-riding issues.
Standards
There is a total lack of standards when it comes to IT security. As mention above, all three stakeholders have their own ideas regarding what the standards are. And the three groups may even change the standards from time to time in response to a given situation, even though next time around it could be different. Things are done to solve an “urgent” issue with an intention to revisit the actions taken later, when the urgency is over. We all know how that goes.
Complexity of the Information Technology
Supporting the current IT infrastructure is exponentially more difficult than it was ten years ago. While supporting the hardware aspect of IT has gotten dramatically easier, supporting the rest of the IT infrastructure is much more difficult today than it was in the past. Most management and system users do not appreciate how difficult is to keep the IT operation running smoothly. Management as well as system users only see the front end of the IT system; it is all Windows, GUI, point and click—but at the back end, IT is facing increasingly complex configurations and environments to make everything work. Nearly all Operating Systems and most applications today use different security standards.
Consistency
Until just a few years ago, there was not a concerted effort in the IT industry and among IT professionals to focus on security. Even most training focuses on a micro-level that is specific to the given products and at times, a given task. Very few IT professionals have a comprehensive knowledge of all the levels of IT security necessary for them to be able to perform their job consistently, each and every time. Without a high-level IT security framework and/or IT security policy, the security tasks will be performed by an individual IT professional based on his or her unique experience. The results are often mixed and may or may not even be desirable. At best, even if the security tasks are performed by the same individual, the results can be inconsistent.
Policy
Most of the organizations today either still do not have a well defined security policy or none is ever developed at all. Where there is a comprehensive security policy, it is not well communicated and /or enforced because it lacks high-level framework to guide it. Very often the policies address security issues at a micro-level that are hard for management, system users, and IT professionals to understand or enforce consistently. For the organization that has a well defined security policy, very often there is not a well trained team (a workable team has to be composed of all stakeholders) to enforce and fine-tune it, and over time the system breaks down.
Framework
For an IT security system to work, more needs to be done. A well defined framework needs to be developed involving all stakeholders, and it needs to be self-tuning over time to be useful. Almost all of the organizations today stop short of having a good framework to enforce and fine-tune the IT security system. Most understand the need for a well defined security policy, but unfortunately, most stop there after they have developed one.
Training
One major difference between traditional, well respected professionals such as Medical Doctors, CPAs, Attorneys and the IT practitioner is the IT practitioners’ lack of a structured approach to learning their trade. There is not a well defined curriculum developed for people who intend to go into IT fields. Most IT trainings are mainly focused on product-specific and commercial aspects of the subject matter, combining marketing and product promotion as part of the training. Traditional curricula that produce the skills demanded of most computer programmers and engineers are not suitable for keeping up with today’s IT demands.
In conclusion, in order for any IT security system to work, a well defined, organization-wide security framework needs to be implemented that involves all stakeholders, and the framework needs to be part of the organization’s core operations—its DNA— at all levels of the organizational structure.