Getting Security Buy-in from Everybody

Buy-in of Information Security projects / initiatives / “we should just be doing it” is a tricky thing.   While support from senior leaders in the organization is key for resources (i.e. $$$$) and using their name in vain (i.e. “this is a top priority of Mr. Big Pants” or “this project has the visibility of the Mrs. Big Office”).   But other that the money and maybe telling their direct reports it is important, they really don’t do a lot for the execution of the project or initiative.What we, the Information Security team, need is the support of the IT teams (Windows and Linux administrators, Identity Management, Application support teams, Network services, etc…).  These are the teams that have to do the bulk of the work to implement most of our initiatives and complete our projects.    But why doesn’t word get down to them that it is important?   Why aren’t they jumping up and down to help us?   Well, guess what?   They have other things to do.   Like their daily break/fix, updates, customer enhancements…. you know things like – their job.So where does the solution fall?   I believe it is two-fold.   First, IT is an expense center…organizations are running IT...
Read more

What Should Information Security Be Responsible For?

In the Enterprise environment it seems there is always a battle around who should be responsible for what in IT.  And there is always some manager or director that complains (or his people do it for him / her) that Information Security seems to be over-stepping their bounds.   Where is that boundary and where should it be?   The answer to both questions is it depends based on the organizational structure, expertise on different teams, and the culture of the organization.A couple of areas that always seem to come up are email and network security controls.  Let’s look at email first.  No information security team wants to be responsible for working tickets about emails that weren’t delivered or restoring mailboxes.   These activities should reside with an email team.   However, who should control the settings on the mail scanner and what is or isn’t allowed through?   I believe that regardless of who does the actually setting of the security controls on the mail scanner, the Information Security team should be the final decision makers of what the controls are set too.  Since the Information Security team is the group that has the knowledge about the risks, vulnerabilities, and exploits, and they...
Read more

Is the problem local admin or change?

Welcome back. "...back after {an} exclusive three year tour of Europe, Scandinavia and the sub continent" (Cab Calloway in the Blues Brothers). Ok, not really, I never left the city for more that a week at a time and that was for training. However, you may be asking yourself, where has Skeeter been? Well, it is a long story. But the cliff note version is a new job, completing my Masters degree, and earning several certifications. Now I am back to pondering Information Security thoughts in my blog. Hopefully on a more regular basis.Today's topic is local admin on workstations or maybe just the process of change. An organizaiton has allowed users to have local admin on their respective workstation forever. But the world has changed and security controls need to be implemented. So, why is it so hard to take local admin away? It shouldn't take months and months of planning and then talking, and going back an forth. Why doesn't management get it? Is it just that people don't like change? It should be...
Read more