Security – Who is responsible?
Do you view your security posture in the office as more or less important in comparison to your residence? And how does that compare to the personal security profile that you exercise for you and your family? Who should be shouldering the security responsibility? I posit — you are responsible. And I would add that you also need to hold yourself accountable.
At work you may rely on yourself. If you are fortunate to work for a company with resources focused on security, you may, dare I say, share reliance with a few groups. These groups include the “information security” team who attempts to keep information safe (be it data, network, laptop or smart phone), the “physical security” team who keeps your building safe from intruders, and the local “industrial police force” responsible for keeping your person safe and secure. Such reliance is appropriate. In each instance the person or entity you are relying on the most is also relying on you at least as much, and often times more so.
An example from the physical world: when you ride public transport you rely on the operator of the vehicle to drive in a safe and secure manner and obey the “rules of the road.” These rules are designed to keep order as we meld in amongst the chaos we affectionately call “traffic.” The operators are also relying on you to make the right choices (how to enter and exit, pay fares, sit and stand, etc.) and to understand the consequences — be they intended or unintended — of your choices should you not follow the rules. This is the accountability part of the equation — you own the end result of your choices and actions.
Throughout my 35+ years involved in the practice of security it has been my experience that too often people ascribe responsibility for their security to others. When is the last time you heard someone say, “It is my responsibility to be secure! It is my responsibility to maintain security!” or conversely, “Today I am going to be insecure!” It just doesn’t happen. Though the reality is that every single day my actions demonstrate my desire to be secure and maintain security, and perhaps yours do as well. And yes, it has also been my experience that occasionally I’ve made choices which have caused others to say, “What was he thinking?” and conclude, “There wasn’t any thought process engaged.” I will try to keep those instances to a minimum. However, we all bear responsibility for our own security.
Let me share a few of my thoughts:
Security
What’s a right choice? Fundamentally, understanding why one choice is superior to another in contributing to your security and maintaining your security is how one measures success in remaining secure. I am mindful that a list of suggestions or admonishment of “what not to do” is of little value, whereas a discussion on “how or why” carries utility, and therefore value.
So sticking to my previous automobile analogy, let’s compare how we are responsible for our security both in the physical and online world. When we wish to use an automobile, we are required to go through a number of steps even before we get the vehicle rolling. During the drive, we adhere to the rules of the road (drive on the appropriate side, use our signals, stop at red-lights, go when green, etc.). When the engine light illuminates, the brakes start to screech, or the steering pulls too far left, we take note and either perform the required maintenance or we take it to the garage shop for service. We correct. The mechanic isn’t sitting in the backseat providing telemetry surrounding your vehicle’s operation, and unless my grandmother is in your backseat, you’re probably not being told how to steer, accelerate or brake. You are responsible. All of these actions are the responsibility of the operator — the user. You, the user, will decide “How do I maintain my vehicle and operate it?” When you violate motor vehicle laws (and are caught), what occurs? You receive a ticket and tickets carry consequences. In the US the consequences might include a monetary fine, points on your license and, for some, a mandatory trip to court. With choices and actions come consequences.
You see where I am taking you. In the online world, we have the same basic responsibilities for security as a driver has in the physical world for safety. I personally strive to know and understand the best possible security protocols available to me in my work environment. Why? Because I know that the individuals and teams which create the policy and procedures and those teams which research and select the software/hardware I use are to keep me and my experience safe. My responsibility is not to undermine the work of others. If I don’t have that support apparatus, then I rely on the reviews and advice available, make my choices and purchases. I should, if I am thinking rationally, make sure I have my auto-update set for the software, as this is the means by which the vendor updates and secures previously unknown vulnerabilities. What if I am a singleton or small business who doesn’t have a security team supporting me? Is my lack of a support team in and of itself a vulnerability? Not in my view. You can still use the preferred practices of the industry — strong passwords; non-duplicative passwords across third-party environments; keeping the security software engaged in the “on” vice “turned off” due to the software-stealing CPU cycles and it slowing the system. And have a defined process of what happens if an anomalous event is observed. In my case, I take note, and I take action — I contact those who support me, and I research the security of my applications when alerted.
How do I know this? Osmosis? No. Just as I learned how to drive and maintain an automobile, I must learn how to be a responsible user. This takes education. When I learned to drive I took driver’s education. Why wouldn’t I take computer user education? I read, trained, and practiced prior to being tested for my vehicle operator’s license, and tested I have been — in every single state or country I’ve resided. I avail myself to any and all training presented so that my and my family’s online experiences are safe and secure. If I undermine my own secure computing environment what are the consequences? At work I might lose sensitive company data; at home I risk losing personal identifying information, account information or family memorabilia.
In closing, wear your seat belt when riding in a motor vehicle; don’t self-inflict wounds upon yourself in your online experience — use strong passwords, keep your security software up to date, and backup your data.
—–
The above piece was drawn from a piece originally written in January 2010, by Christopher Burgess and published on the Cisco Security Blog – Security – Who is Responsible?
2 Comments