Sponsored By

Security Mistakes: Technology or Behavior?Security Mistakes: Technology or Behavior?

Enterprises have many considerations to make when evaluating their security standings – technical, organizational, and behavioral.

Gary Audin

March 6, 2015

5 Min Read
No Jitter logo in a gray background | No Jitter

Enterprises have many considerations to make when evaluating their security standings – technical, organizational, and behavioral.

Security is an ongoing battle for every organization. Whatever you do to secure your infrastructure and data, there will always be someone depending on organizational behavior to have some security weak points and using new tools to attack.

Attitudes about security can be enabling or retarding security development and implementation. Security is more than the technology applied to ensure things are secure. Security is also how the organization envisions security and its place in the business processes.

Love That New Technology
Looking for the best product or service is looking at a transitioning solution -- whatever is best now may not be best next week. Technical solutions are not the only solutions. Those marketing their products and services will dwell on the latest security issues and how their technology solutions mitigate the problems. But focusing on new technology can lead an organization to bypass, ignore, or miss other pertinent security issues. The latest technology cannot correct the behavior and improve the policies that may be the root cause of the security problems.

A few questions to consider are:

  • Should policies and procedures be changed?

  • What are the life cycles of existing security technologies?

  • How much do the existing technologies address known security vulnerabilities?

  • Is the staff capable of implementing and maintaining the new technologies?

Distrust That New Technology
The opposite behavioral problem can occur when IT implements a new technology that interferes with smooth business processes. This can become common when the new technologies impose restrictions or extra effort on the users and the organization's customers. Is the security staff inclined to say no to anything new that would require new security solutions? This behavior can actually backfire since users may develop work-arounds that satisfy their requirements but do not adhere to the organization's security requirements.

Points to consider include:

  • Are new technologies blocked from the users because they can impose more work on IT?

  • Are external resources blocked that were once accessible?

  • Are new applications prevented from being implemented because of security concerns?

A good approach is to avoid forcing updates with little regard for the user's productivity.

Focus on the User and Business, Not Technology
Security is there to protect the organization, its staff, and customers. It can be easy for those in charge of security to place their requirements before those of the organization. This attitude can foster the creation of goals that do not improve the operation of the organization. The security goals may actually weaken security, cause CAPEX and OPEX expenditures that are not beneficial, and alienate the users. It can be quite easy for the business and security requirements and implementation to become misaligned.

Actions worth considering are:

  • Do not require a password per application

  • Avoid requiring users to frequently change passwords

  • Ensure that security devices such as firewalls and intrusion prevention systems do not create outages for the user's legitimate access

Beware the Checklist
Many vendors prepare checklists that the organization can use to evaluate itself. The checklist can be valuable but should not be considered the final answer. Anyone who prepares the checklist will focus on what they know and can miss important considerations. Once the checklist is published, there will continue to be additions that are warranted but the checklist may not be properly updated. The danger in this is that an organization can perhaps mistakenly believe they have done a good job implementing security because they have satisfied all the checklist items.

Consider:

  • The checklist writer's viewpoints as a vendor

  • How old the checklist is

  • How well the checklist relates to the organization's environment

Organizing Security Management
There will be someone in the organization who looks at security as a risk management situation. IT will most likely not report up through the risk management executive. Therefore, risk management and IT staffs can often have an uncooperative relationship, and may not collaborate effectively.

As viewed by IT, risk management is a business issue, not a technical issue. The end result can be either an over-engineered implementation with an associated high cost or an under-engineered implementation that leaves the organization vulnerable.

Further, there can be internal problems within IT that complicate security management. One example would be a lack of collaboration that leads the network staff to implement solutions that are redundant with those implemented by the security staff.

Because of the disconnect between IT and risk management goals, as well as the potential for inconsistencies between network and endpoint security, one idea to consider is whether the chief information security officer (CISO) should be under the CIO.

Policy Management Unfocused
There will always be changes in IT systems, networks, applications, and data. How an organization deals with the changes and continues to implement security measures is just as important as the initial implementation of the security solutions.

When working to optimize your organization's security approach, consider:

  • How up-to-date are the firewall and SBC policies?

  • Do the application producers inform security of their changes?

  • How well are security policies documented?

  • Are there workflow gaps that affect security?

  • Could automation tools be implemented that could help with the change management process?

There is a weakness in this blog: This post is itself a form of checklist, which I cautioned you to beware of earlier. But these considerations are presented as such to expose some of the issues involved with security. If you like checklists as a tool, then my advice would be to look for as many checklists as possible and combine them together. But don't consider your work done – because even then, the resulting checklist can have gaps.

Gary Audin will be speaking at the Enterprise Connect Orlando 2015 conference, taking place March 16 to 19 in Orlando, in the session, "Right-Sizing Your SIP Trunking Procurement," on Wednesday, March 18, at 3:45 p.m. If you haven't yet registered, do so now using the code NJSPEAKER and receive $300 off an event pass.

About the Author

Gary Audin

Gary Audin

Gary Audin is the President of Delphi, Inc. He has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks as well as VoIP and IP convergent networks in the U.S., Canada, Europe, Australia, Asia and Caribbean. He has advised domestic and international venture capital and investment bankers in communications, VoIP, and microprocessor technologies.

For 30+ years, Gary has been an independent communications and security consultant. Beginning his career in the USAF as an R&D officer in military intelligence and data communications, Gary was decorated for his accomplishments in these areas.

Mr. Audin has been published extensively in the Business Communications Review, ACUTA Journal, Computer Weekly, Telecom Reseller, Data Communications Magazine, Infosystems, Computerworld, Computer Business News, Auerbach Publications and other magazines. He has been Keynote speaker at many user conferences and delivered many webcasts on VoIP and IP communications technologies from 2004 through 2009. He is a founder of the ANSI X.9 committee, a senior member of the IEEE, and is on the steering committee for the VoiceCon conference. Most of his articles can be found on www.webtorials.com and www.acuta.org. In addition to www.nojitter.com, he publishes technical tips at www.Searchvoip.com.

See more from Gary Audin

Editor's Spotlight

How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
Ccaas
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations

Dec 16, 2024

How Talkdesk Delivers for Vertical Industries
Ccaas
How Talkdesk Delivers for Vertical Industries
How Talkdesk Delivers for Vertical Industries

Dec 5, 2024

How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
Ccaas
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity

Dec 17, 2024

Subscribe to Our Weekly Newsletters
Stay informed and sign up for weekly No Jitter and WorkSpace Connect newsletters
Sign Me Up
Mar 17 - Mar 20, 2025
As the #1 communications, collaboration and CX Conference and Expo in North America, we empower IT professionals to confront and overcome today's most pressing challenges. Attend Enterprise Connect and join thousands of like-minded peers building a framework for future success. You’ll walk away with rich learning experiences, invaluable connections, business opportunities, and inspiring insights. Register with Promo Code CONNECT25 to save $200 on Conference passes.
Learn More