InfoSec: Facts vs. Feelings

Preservation of cultural integrity within an organization is often among senior leadership’s top priorities. This is understandable, given the influence that culture has on morale, efficiency, and productivity. Potential impact to the culture holds significant weight in decision making processes across all departments, particularly those that are revenue generators (aka “The Business”). In some instances, decisions that may result in negative impact to the business are unavoidable. When this occurs, key stakeholders will come together to determine the degree of imposition deemed acceptable.

What Makes the Business?

As Information Security professionals, the sanctity of the business is something that we know all too well. With each new project, we are quick to be reminded that the security controls implemented are to be designed in such a way that does not negatively impact the business.
Generally, we have accepted this concept as a reality, despite the inherent increase of time and effort it comes with. However, there is a high-level problem that frequently presents itself: the elements that collectively define ‘the business’ commonly differ between Info Sec and other stakeholders.
Both generally rely on fact-based operational modeling. For example, the system of an employee who processes customer orders over the phone would be defined as the business given its important role in the revenue generating process. Therefore, its performance and operational integrity would warrant additional consideration. Inversely, a server used for testing application development would not be defined as the business given that is not directly part of revenue generations.
The difference is that, in addition to fact-based modeling, other stakeholders tend to roll feeling-based elements under the umbrella of ‘the business’ (i.e., access to personal social media, or the ability to use removable media with no restriction). Feeling-based elements are not critical to the business’s ability to generate revenue, but are very influential in the organization’s culture.

Balancing the Business with InfoSec: Facts vs. Feelings

The ability to stay-connected to the world outside the confines of work is important to employees. Perhaps a side-effect of the ever-growing IoT industry, around the clock connectivity has become commonplace in our lives.
Regardless of the contributing factors to a culture’s make-up, one universal truth remains ever present; allowing feelings to trump facts when it comes to security is a flawed premise to rely upon.
Consider the following facts and feelings in a scenario where you are trying to decide whether to block personal email usage on company assets.
Feelings – against restricting personal email usage:

  • User’s ease of access to their information
  • Perception as being controlling/micro-managing
  • Key revenue-generators’ potential adverse reaction
  • Seamless bridge between on-site and remote (from home) work

Facts – pro implementation of security controls, restricting personal email utilization.

  • 66% of malware is installed via malicious email attachments
  • 73% of breaches are financially motivated
  • 75% of attacks are perpetrated from outside of the organization
  • The avg. hash-life of a piece of malware is < One (1) minute [1]

Truthfully, the ‘feelings’ are irrelevant. In some situations, the ‘feelings’ will be compelling; in others it may be difficult to reconcile against logic.
Feelings are variable; facts are consistent – they are truth

Countering the Threatscape

The climate of today’s threastscape is troubling, to say the least. Conversations and changes that may affect culture are rarely welcomed with open arms. In fact, our adversaries prey on the expectation that we coddle and preserve our antiquated methods.
The progress being made in proactive security solutions continues to impress. Increased spending is driving the industry toward 100B+ and is complimented with a 0% unemployment rate[2]. However, at the end of the day, the most robust solution, operated by the most intelligent and experienced professionals doesn’t equate to much other than waste if we leave the front-door wide open for the bad guys to get in.
For further discussion, contact Alex at [email protected].
[1] http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
[2] https://www.infosecconnect.com/2017/02/17/cybersecurity-talent-shortage-zero-unemployment-no-unicorns/