The IT Security Food Chain: Predator or Prey?

By | Oct 22, 2013

According to John Pescatore, director of IT security training facility the SANS Institute, technology professionals need to tackle the biggest compliance and access issues at their companies before asking management for larger budgets or more resources. But with a host of security issues facing midsize companies — BYOD, applications offering "MyFi" hotspots and the Internet of Things to name a few — administrators must choose which problems get priority. In other words, which path offers the least resistance up the security food chain?

Don't Fill Up on Bread

TechRepublic recently sat down with Pescatore to pick his brain about what IT professionals should be doing to maximize their security resources. The SANS director raised a number of important points — for example, that there is no direct correlation between what a company spends on IT security and the actually security of the network. Management and IT do not always agree about what is important; all too often, IT professionals are tasked with patching minor security issues while larger issues run rampant, or they may be given directives to whitewash corporate access policies entirely without the budget that is required.

Climbing the security food chain starts with IT identifying where they fall on the spectrum. Those lower on the food chain are characterized by consuming small, furtive meals, and IT professionals seem to run around an office extinguishing small security fires. Predators seek bigger game, single targets such as cloud security or comprehensive access policies. Doing too little puts professionals at risk of being fully occupied with busywork whereas biting off too much leaves companies open to potentially disastrous attacks. The key, according to Pescatore, is actually quite simple: Fix what is obvious using the resources provided.

The Omega Protocol

Access protocols offer solid starting ground for any IT security professional. According to an October 16 article in Bank Info Security, 66 percent of government IT users say security protocols at their agency are burdensome, 69 percent say their work takes longer than it should because of these protocols and almost 20 percent say they have been unable to complete a task as a direct result of overly strict security control. This leads 31 percent of employees to use a workaround to get their work done.

Tackling this "shadow IT" has several benefits. First, the problem is in house and can be resolved as such. Second, the resources needed to increase security already exist; IT staff know what safe browsing and access looks like. The goal is straightforward: In combination with users, administrators must create a set of protocols that protect critical company data but do not needlessly restrict access. These protocols have to extend from front-line employees to the C-suite with no exceptions. While this often seems a hard sell, managers are more likely to come around if IT professionals include cost analysis in their project description.

Regardless of where IT professionals choose to begin, however, the goal is to look for high-visibility concerns with low costs to fix. This establishes a baseline on the IT security food chain, and success here encourages upper management to offer additional resources and time. Ideally, administrators want to steer away from prey behavior and toward that of predators who take the fastest, easiest route to a meal.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic