The Importance of a Security Strategy

As an information security manager, I have been involved mostly with security- or compliance-related strategic planning. One of my former employers struggled to pass its compliance audits for a couple of years mainly due to IT security and control failures. Since most of the company’s processes rely on information technology, having an effective design of information security controls is a precondition to successfully passing audits. One of our biggest hurdles is the legacy ERP (enterprise resource planning) system that was implemented more than a decade ago. Instead of implementing “default deny” or positive security model, the system was configured as “default allow.” The former model (default deny) disallows all access to users and giving each user only the access they need. This type is similar to a whitelisting on a network where you define protocols and ports that are allowed while turning everything else off. The latter (default allow) is giving everyone access to everything, and then taking back what they don’t need. From a security best practice perspective, default allow is the worst way of implementing access controls on a critical business system.

To pass the audit without replacing a million-dollar system, we needed a game plan. A compliance team was formed composed of IT, security, internal audit, and business executives. We determined what we currently have (people, technology, processes), as well as our strengths and weaknesses. We knew we can’t change how the system works or switch its security model to a default deny without disrupting business operations. So the best option we had was to implement a lot of manual compensating controls just to pass an annual regulatory compliance audit. Our common goal was to pass the audit without incurring a lot of costs. That was the tradeoff – more manual processes in exchange for lesser costs.

It took us more than a year to finally get a positive assessment from the external auditors. The path to that point, however, was full of challenges. A few people were unwilling to change the way they do things. Since manual processes were introduced, such as in change management and user provisioning, it required more time and effort on the part of administrators and users. There were still security lapses but in the end, our strategic plan (and implementation) led to a more successful audit. The next goal was to get that legacy ERP replaced with SAP.

For me, the main takeaway from the effort was the importance of developing an effective strategy to tackle seemingly insurmountable problems. We must know where we are and where we want to be. We should weigh all possible options and must be willing to make tradeoffs. Support and cooperation from key stakeholders, such as senior management and business users, are vital. Furthermore, implementing the strategy is as important as developing the strategy itself.

Some people may say that strategy development is irrelevant in a rapidly changing environment where agility is king. They may be able to fix a certain part of a problem at a particular point in time without a sound strategy, but I doubt they will have a focused, consistent and effective plan to prepare for and handle risks that may come their way.

Featured Post

Motivations towards Shadow IT

A logical place to understand the problems posed by shadow IT is to understand why the practice exists in the first place. One must know the users’ needs and motivations for getting external cloud … Continue Reading