Information Assurance remains a growing field of expertise, maturing on an almost daily basis. The industry has exploded over the last 10 years even though the concepts of IA has been around since as early as the 1960’s. Although the industry and its practitioners continue to evolve, those in upper-management have a difficult time fully grasping the core principles. As in many areas of management these days, there are far too many gun-shy managers who are more concerned with appearances and perception than properly mitigating risk to the networks they are charged with protecting.
Information Assurance, like any job where managing risk is involved, is about tough decisions. Almost all information assurance choices are not cut and dry, not black and white. Security versus convenience. The vast majority of IA work resides in that gray area, where a case can be made for either argument.
The deciding factors are similar to traditional security models, with risk topping the list. Is the risk, whether small or large, acceptable? Determinations are based on a successful evaluation of the threat. Is it credible? Easy to exploit? Etc…
Risk management is a huge domain of information assurance, and one that practitioners take seriously. IA professionals regularly complete risk assessment and continually evaluate the threat. These opinions are likely regularly compiled in to reports and or briefed to management so they can make informed decisions.
How does this affect information security specifically?
Unfortunately, most in upper management subscribe to the cover your ass mentality. In the majority of cases, upper managers are far more concerned with their careers and peer relationships than pulling the trigger on difficult decisions. When it comes to brass tacks, many upper managers will weasel their way out of a tough decision to save face with their peers.
This is what I have aptly dubbed the, “I don’t want to be a dick” syndrome of information assurance. Managers, whether directly involved in IA or charged with rendering a verdict based on risk assessments performed by IA staff, opt not to make the tough, right decision. Instead, they choose to accept unnecessary risk because they don’t want to be perceived as a dick by those within their organization.
Simply put, in their eyes it is easier to maintain good working relationships with their peers than to properly protect the network. In this day and age, when networks are constantly under attack from unknown, unforeseen vectors, it is important to make tough decisions, otherwise such decisions may have unintended consequences in the future. Playing the CYA game in IA is not an adequate security posture even though it may be a popular route with ones peers.
Adding unnecessary risk to a network is dangerous and can lead to bad things(tm), especially if not properly managed. If upper management is content with taking the easy route then the IA team is going to find it exponentially more difficult to protect the network. Displaying weakness when making IA decisions is tantamount to a General displaying weakness on the battlefield – the enemy will exploit those vulnerabilities to the organizations detriment.
While it is important the IA team not be perceived as the “network Nazi’s” it must not be accomplished by evading complicated decisions when the risk is unacceptable. If there is a valid threat then the decision, while not necessarily inline with the desires of the end-users, should be fairly obvious. IA must not be a roadblock to productivity, however legitimate security concerns must be addressed rather than ignored.
So how is the “Dick” syndrome mitigated?
As I mentioned at the beginning of the article, information assurance decisions are rarely black and white. They are often times difficult, complicated and thorny. In many cases, the choices will likely piss off the end-users who will look for ways around the policies implemented by the IA team.
Being perceived as a dick is fairly easy to mitigate. Listen to your end-users and make them believe you truly care about their operations and productivity. They need to understand that their thoughts are taken in to consideration when the IA team performs risk assessments. Even though the decision to implement may not go the way they desire, if they feel as that they are part of the process then they will understand in the end.
Consistency is key. When IA decisions are constantly going back and forth it sends the wrong signals. End-users feed off of consistency and should come to know what to expect from their IA team. Fear of the unknown is one of the reasons end-users perceive their IA team as the bad guys. Inconsistency leads to uneven application of IA policies, which in turn causes confusion for the end-users. Never send mixed signals.
“NO” can not always be the first answer. When an IA team automatically responds to inquiries with “no” that ends up causing more harm than good, even if the request must be disapproved. This links back to what I mentioned about allowing the users to feel as if they are part of the process. An automatic “NO” answer is decidedly against such a mantra.
Conclusion
IA, like many professions, has its ups and downs, and is filled with days where you may feel like an asshole even though you desire to assist the end-user. Unfortunately, doing the right thing is not easy – it’s tough because the very people who you are providing a service to are staring at you, awaiting a helpful answer.
If you are charged with making difficult IA-related decisions you must think of the risk to the network before anything else. Relationships with peers, with supervisors, with subordinates, must be placed on the back burner. Failure to do so because you “don’t want to be a dick” is dereliction of duty. Placing unacceptable, unnecessary risk to the networks is self-serving and precarious.
