What surprises most businesses we work with is that after we finish our security assessment for them, we find that many of their vulnerabilities were traced back to their IT provider.
How is this possible you ask? I mean, aren’t IT people the ones who understand security the best?
The short answer is “kinda.”
Yep, they do understand security. Some of them are experts in it in fact. However, they still make mistakes and so this interview with Caleb is all about understanding what these blunders and how we can avoid them.
Example 1: Turning Stuff “ON”
Caleb (05:53) – In my experience, everything in business is about functionality and cybersecurity is seen as an annoying layer of cost and inconvenience. It’s either not considered or it’s dismissed for the sake of adding more features.
IT people, just turn stuff “on”, they may look through the security settings, but when they are asked to turn on two-factor authentication, they don’t do it because “we don’t need it”. There’s really no security assessment baked in.
They just turn more and more stuff on and they let more and more information connected to the Internet, they are constantly adding vulnerability and exposure without blocking stuff down.
Derek (06:55) – Makes Sense. They’re opening things or they’re adding more features. Can you share a specific example that you’ve seen?
Caleb (07:15) – People’s spin up free Dropbox accounts with sensitive work information all the time. Some business owners don’t know what’s happening and others really don’t understand the impact of storing company information on free services that don’t have the same licensing and privacy restrictions as the paid accounts.
Derek (08:14) – That makes a lot of sense, people leveraging all the great free stuff that’s out there and no one thinking about the potential worst-case scenario. What’s the second mistake that you commonly run into?
Example 2: IT Prioritizing Features
Caleb (08:41) – This is kind of an extension of number one, but IT people tend to prioritize features. They focus only on those and don’t take a look at the back-end or other implications to the business. I’m not saying adding remote connectivity or adding Dropbox or whatever file-sharing services is wrong. They may well be needed features, but good security is an enabler of the business, it allows people to take those risks in a measured fashion.
For example, adding two-factor authentication is just one simple way to lock stuff down. But when people prioritize features, it’s typical for an IT person to always want the latest and greatest that typically lack the holistic understanding of the impact of the business of one technology over another. By adding more features, they’re just introducing more risk.
It’s been said that if an IT guy was promoted to CIO, that company would be bankrupt within a year or two because they would be buying everything. It takes a business mindset, not a technical mindset to understand what really needs to happen.
Example 3: IT Don’t Know How To Communicate Security Risks
Caleb (10:29) – IT either don’t take the time to learn security or, if they do, they just have a lot of trouble communicating it.
For example, they can see the snake in the grass in front of the CEO, that walking path, but they don’t know how to communicate it. Business people and technical people talk a different language.
Even if they do understand the security implications, they have a hard time expressing it in a language that business leaders listen to and understand.
Derek (11:23) – That’s really scary to think that they know the implications but they’re just unable to communicate it properly. If it’s just a matter of communicating things better then you can get closer to closing gaps.
Caleb (11:46) – Unfortunately, there’s a lot of “no” all times in IT, the technical people tend to be that way – not all of them of course, but there’s a lot of “I told you so” when something goes wrong.
My question for them is “did you really tell them, and did you say it in a way they couldn’t understand?”
Derek (12:07) – In your opinion, how much would you say the reason for these mistakes is lack of time or just bad communication?
Caleb (12:34) – I would say on the time side, especially for small businesses who may have one person full time, they are busy enough maintaining features and making sure systems stay on. Information security is a separate discipline from information technology.
If you look at the enterprise, they’ve got different reporting structures. You’ve got a CIO and a CIS. Those are two separate executive chairs with different goals or different ways to achieve the business goals. I would say that typically the incumbent IT person or department is capable of executing the projects if they receive appropriate security guidance. But the decision making and the risk assessment is not something that’s in their wheelhouse.