Never Sell Security As Security
March 23, 2009
Some months ago, a fellow Information Security professional posted to one of the mailing lists I monitor, looking for security arguments to refute the latest skunkworks project from her sales department. Essentially, one of the sales folks had developed a thick client application that connected to an internal customer database. The plan was to equip all of the sales agents in the field with this application and allow them to connect directly back through the corporate firewall to the production copy of the database over an unencrypted link. This seemed like a terrible idea, and the poster was looking to marshal arguments against deploying this software.
The predictable discussion ensued, with everybody on the list enumerating the many reasons why this was a bad idea from an InfoSec perspective and in some cases suggesting work-arounds to spackle over deficiencies in the design of the system. My advice was simpler– refute the design on Engineering principles rather than InfoSec grounds. Specifically:
- The system had no provision for allowing the users to work off-line or when the corporate database was unavailable.
- While the system worked fine in the corporate LAN environment, bandwidth and latency issues over the Internet would probably render the application unusable.
Sure enough, when confronted with these reasonable engineering arguments, the project was scrapped as unworkable. The Information Security group didn’t need to waste any of their precious political capital shooting down this obviously bad idea.
This episode ties into a motto I’ve developed during my career: “Never sell security as security.” In general, Information Security only gets a limited number of trump cards they can play to control the architecture and deployment of all the IT-related projects in the pipeline. So anything they can do to create IT harmony and information security without exhausting their hand is a benefit.
It’s also useful to consider my motto when trying to get funding for Information Security related projects. It’s been my experience that many companies will only invest in Information Security a limited number of times: “We spent $35K on a new firewall to keep the nasty hackers at bay and that’s all you get.” To achieve the comprehensive security architecture you need to keep your organization safe, you need to get creative about aligning security procurement with other business initiatives.
For example, file integrity assessment tools like Tripwire have an obvious forensic benefit when a security incident occurs, but the up-front cost of acquiring, deploying, and using these tools just for the occasional forensic benefit often makes them a non-starter for organizations. However, if you change the game and point out that the primary ongoing benefit of these tools is as a control on your own change management processes, then they become something that the organization is willing to pay for. You’ll notice that the nice folks at Tripwire realized this long ago and sell their software as “Configuration Control”, not “Security”.
Sometimes you can get organizational support from even further afield. I once sold an organization on using sudo with the blessings of Human Resources because it streamlined their employee termination processes: nobody knew the root passwords, so the passwords didn’t need to get changed every time somebody from IT left the company. When we ran the numbers, this turned out to be a significant cost-savings for the company.
So be creative and don’t go into every project with your Information Security blinders on. There are lots of projects in the pipeline that may be bad ideas from an Information Security perspective, but it’s likely that they have other problems as well. You can use those problems as leverage to implement architectures that are more efficient and rational from an Engineering as well as from an Information Security perspective. Similarly there are critical business processes that the Information Security group can leverage to implement necessary security controls without necessarily spending Information Security’s capital (or political) budget.