When Security Controls Give Less Control

Security risks in our organisation are usually risks we want to treat. To achieve this, security professionals turn to implementing so-called controls. This is a word loaded with promise. Of course we want control, especially with the growing amount of cyber uncertainty. But do the techniques we use for controlling risk necessarily result in actual control?

Competent people are needed to reap the benefits of technical controls.

Unsurprisingly, there are several factors which decide how effective our controls are. Controls can be implemented in several ways, and each must be fit to the organisation they are implemented in. They must also take the human factor into account —all those people who play a part in making security happen. Or not (yet).

Many organisations have for instance defined a change management process. This is a common control for improving quality when changes in IT systems need to be done. Nobody wants business interruption due to system downtime, because this has an obvious impact on productivity. A controlled process for planning and deploying system changes can also help taking security impacts of those changes into account.

The question is to what extent this process actually works.

I once advised a company who intended to have a change management process in place. The change manager was a seasoned IT professional, having spent many years in the organisation. I interviewed both him and several others about information security, including how their change management process worked. The change manager told me about receiving many types of requests from people in his organisation, including change requests with a potential impact on security. As a specific example, we talked about opening ports in the firewall to support new service integrations. In those cases, he simply signed off the request and forwarded it to the network department.

“Do you assess the security impact that these change may have?”, I asked.

He answered that this was taken care of by the network department. “They are the ones having the full overview of firewall rules”, he explained to me.

Obviously, I had to go and check with the network department. Can you guess what they said?

“When we receive a request like that, we just execute as specified.”

Apparently, the intended security control was out of control. It became clear that the change manager was not trained in information security at all. In fact, the change manager was not even aware of the security role he was intended to fill — he simply did his best to serve functional requirements coming from his colleagues, while working to avoid downtime (indeed, availability is also part of information security). The change manager was not at all against security — he was overall very positive indeed, but he lacked both security awareness and competence. I would not blame the change manager for this. But while the company’s security intentions were good, they came short on execution.

The security control looked good on paper, but it actually became counter effective in practice: The change management policy would lead people to believe that security was controlled, when in reality it was not. If the organisation believed their firewall was a security control, they now also uncovered that it no longer worked as intended.

“[…] the root of every seemingly technical problem is actually a human problem.” — Eric Reis (The Lean Startup)

Communication gaps are a commonly found weakness in processes, also when processes concern security. Both parties in the conversation just assume that security is taken care of, while nobody have a clear reason for challenging this assumption. Still, your organisation’s security depends on a whole system of people, policies and procedures. This is valid regardless of whether you are oriented towards information security standards like ISO 27001 on the management system, and ISO 27002 on the security controls. It does not depend on whether those policies and procedures are formalised, either. In any case, evaluating how well you close the gap between technical (imagined) control, and actual control, is a rewarding practice.

Uncovering gaps like this reveals great opportunity for investing in people. And for reaping the benefits of your technical investments.

People need security awareness, education and training. This is in itself a security control, just like doing change management and having a firewall can control risk. All employees need a certain level of security competence. We also need to embed a culture where security is everyone’s responsibility. In addition, anyone who are involved in the organisation’s information security management system need specific awareness and competence for filling the particlular responsibility they are given.

Technical people tend to believe that technical controls can be applied in a technical manner. But for any organisation who wants to operate securely as a connected business, dealing with security is more often a human problem than a technical one. In those cases, I dare say we need more eye contact. Even when dealing with technical controls like a firewall.


Image credit: Christopher Batt (CC BY-SA 2.0)


PS: If your organisation’s human security controls need some special attention and care, my company Secure Practice can help. Drop us a line at [email protected] and we’ll find a way!