As I listened to the opening keynote address at this year’s BlackHat conference, Shawn Henry touched on a number of familiar themes: defense-in-depth, controlling access to data, operational awareness, and so on. Shawn made a number of good points, but one really stuck with me, “We have the ability to make our networks and systems a much more hostile (i.e. difficult) environment for our adversaries to operate in.”
This is absolutely true. Implemented and used properly, technologies available today could certainly make life much more difficult for our adversaries and dramatically reduce the risk of suffering an information security breach.
So why don’t organizations do this? What’s holding organizations back from implementing more robust security?
I have spent a lot of time thinking about this question and chewing through ideas for how organizations could raise the bar on security.
As I reflected on all of this, a familiar tenet of information security came to mind: “Information Security is everyone’s responsibility.” This is a common platitude in information security circles that is oft repeated in organizational security awareness training. We say it a lot, but I’m not sure that most organizations really mean it.
Let me illustrate what I’m driving at by pointing to organizational incentive compensation plans and performance evaluations. I’ve met with numerous Fortune 500 companies and government entities and none of the organizations I’ve worked with tie bonuses or performance reviews for general IT or business staff to information security performance. In most companies, the only people incented (or penalized) for information security performance are the information security team.
When you think about some of the things that lead to security breaches – insecure system builds, poorly written code, acceptance of significant levels of identified risks, etc. – how many of these common security failures could be reduced or eliminated through proper incentive plans and accountability structures. I’m willing to bet that if IT bonuses were tied to vulnerability assessment results, the IT team would be willing to put a lot more effort into ensuring that systems are designed, deployed, and managed in a more secure manner.
If application developer bonuses and performance reviews were linked to the number of post-production security flaws found in their applications, they would put more effort into writing code that is not only functional but secure. Similarly, if a portion of a business leader’s bonus was tied to management judgment for accepted risks, they might not be so willing to accept serious security risks just to meet a project deadline.
What do you think? If organizations were willing to take this approach to make it clear that everyone really does have direct responsibilities for information security would we start seeing better results from the money spent on information security?
Cross-posted from Symantec Connect What’s @StakeTags: data breach, security, security awareness training