Business Management Articles
business management articles
Information Security and Business Management: The History and Reality of Misconceptions, recommend, new approach
Daniil M. Utin, MS, Mikhail A. Utin, Ph.D.
Information Security and Business Management: The History and Reality of Misconceptions
Preamble.
We published an article in Information Security Journal: A Global Perspective, 17:1 – 6, 2008 “General Misconceptions about Information security Lead to Insecure World” [1]. We would like to return to its ideas and discuss them from a slightly different perspective as problems we identified are large in scope and cannot be addressed in a single article.
The evolution of Information Systems (InfoSys) and information exchange opportunities caused the Dark Force to adopt and evolve its weapons from simple boot sector viruses and cunning social engineering to botnets and Hacking Services Industry (HSI) establishment. The latter grows in parallel with Information Security (InfoSec) Industry and has its own research and development, services and information for sale and, as the result, profits measured in billions of dollars.
Continuous InfoSec failures both in government and commercial systems are raising questions not just about mishandling, sloppiness, or incompetence, but also whether basic InfoSec concepts as we know them are in fact correct. We need to reevaluate the way we go about security business as a whole.
We identified the problem as utilization of InfoSys methods and principals of operation in a completely different business as InfoSec.
Being Reactive or Proactive?
We need to admit that HIS is always one step ahead of InfoSec, excepting when FBI or international enforcement authorities apprehended a few hackers. In general, InfoSec is reactive by its nature, as we understand it. It started its existence as a defensive system, fixing problems and finding a technology solution to new threats or overwhelming attacks.
Staying on the defensive means a PR-wise disadvantageous position. As the results of this, the battles are judged based on successful hacking attacks, and the fact that majority of the attacks fail due to defense is often overlooked.
Almost all current InfoSec technologies are defense-based meaning “reactive”: firewalls, IDS/IPS, anti-malware measures, etc. What could be proactive in this case? For instance, anti-bot searching software like web robots, which scan the Internet for botnets.
Such “reactive” approach is coming from InfoSys, which was, is, and will be business oriented set of naturally “reactive” services. InfoSec has its roots in InfoSys, and very often their roads cross paths. However, InfoSys and Infosec are different. Thus, we need to move forward with completely different methods based on InfoSec needs. Otherwise, the battle will always be lost to a more proactive enemy.
There were some attempts to develop methods of active defense, but the problem extends beyond technology. There is no legal basis such active defense, and legal issues are expected to arise.
Our Vision: Active InfoSec defense should be legally permitted in this country, and the rest of the world will follow. We need to utilize offensive methods in addition to defensive.
Separation of duties
Separation of duties is one of the basic security principals. The discussion of the managerial separation of InfoSys and InfoSec took quite a while before settling. A majority of security professionals agreed that two services should be divided. However, each organization arbitrarily determines for itself what kind of division is better. Unfortunately, InfoSys management usually considers InfoSec as a branch of InfoSys with all the following implications. It is very traditional point of view, and as we discussed above, came from early days of InfoSec.
Money also matters. Bigger budget means more power to control. The opinion of InfoSys management is that the security is “business oriented service”, and should stay bound to InfoSys. We anyway see InfoSec as Security service, not as “business oriented” one. It should be completely separated from InfoSys management even if management claims that organization cannot afford it. We think that if an organization has an InfoSys group, then it should have as least one InfoSec person, who does not belong to that group.
There is a tendency in InfoSys that makes the complete separation very urgent. We see that more and more InfoSys is managed based on a budget, not technical or organizational needs. The major criterion is money. The outcome is global outsourcing, which frequently results in inability to manage such outsourcing and technology. We’ve seen multiple examples when entire InfoSys has been outsourced to a services company leaving only a small group of managers to handle the budget and the relationship between the organization and the contractor. Within a couple of years this group has realized that they do not have people with expertise to understand where technically InfoSys should develop, possible solutions, etc. They got in the position blindly relying on the contractor and not knowing what should be the result. Extension of such practice to InfoSec is extremely dangerous regardless of what security services providers might tell you. You can be very easy out of control of your organization’s security depending only on what the provider says.
Our vision: InfoSec management should be completely organizationally independent from InfoSys management. Methods of InfoSys management are not aligned with InfoSec goals.
Why are we late?
Let’s discuss why InfoSec if frequently late in securing business assets. Basically, we are talking about the final result, not intermediate activities.
In our article [1] we discussed interesting case where it took 60 days to change 60 administrator blank passwords on government controlled enterprise network. It was a typical security situation where fast and easy fix was possible. However, it took 60 days instead of just a couple of days were system administrator to simply walk around the campus fixing passwords. Considering that all computers could be accessed by local personnel, it should not take more than just a couple of hours.
Another interesting case came from one of major US (as well as world) banks. New coming security consultant needed a PC on the local network with certain access to network shared drives. It took two months (!) to finally get all things settled. Computer alone took one (!) month to set up. We see here a magic number as two months is actually 60 or so days as in first case.
In both cases security and general InfoSys requests went through multi-level support structure. It is possibly does not matter which exactly hierarchy in each case was. Everyone tends to act and react slowly unless it is an extreme emergency case. So, our first example is a copycat of InfoSys request processing in InfoSec. We think that we should not explain the danger and consequences of having a blank password, and that such requests should be treated by InfoSec in completely different way.
Our vision: A copycat approach to management structure and methods, for instance service requests processing from InfoSys to InfoSec, endangers business assets. As per above, methods of InfoSys management are not aligned with InfoSec’s goals. When it comes to security issues, the time of slow multi-level response must come to an end.
Local or global focus
In the world of InfoSys, the blank administrator password does not affect any business functions, business connections, or company image. InfoSys generally does not care what happens outside of its local perimeter. And it does not even matter if it never gets fixed.
In the world of InfoSec, blank administrator password creates an obvious exposure of completely open computer and should be fixed as soon as possible. Compromised computers will definitely represent some danger to outside world as bots, sources of viruses, spamming, etc.
This is purely InfoSec’s concern.
Subsequently, we can draw the following conclusion:
- InfoSec considers local, and as well as global interests while InfoSys approach focuses almost solely on local business interests.
- The same issues that are not considered problematic from InfoSys’ point of view could potentially present far-reaching problems for InfoSec.
Our vision: Our world is interconnected. Our security dependencies are interconnected. The age of local thinking (InfoSys) should be coming to an end.
Jacks of All Trades: The System Administrator and the Security Analyst
Another aspect of Infosys influence on security matters comes through personnel management. Typical job requirements list for a system administrator contains a “laundry list” of operating systems, software, hardware, etc. We see very similar approach of ”laundry list” in InfoSec hiring. This identikit comes from management’s luck of understanding of InfoSec and its unique needs. If a system administrator is extremely busy working on his assigned projects and fails to complete 10% of the tasks, it is, in all likelihood, not a severe problem. In fact, majority of InfoSys administration tasks are not critical when it comes to a possible business impact. However, if we take the same approach to security tasks, 10% failure to complete is not acceptable. This is just like leaving your house when one in ten of its doors is wide open. 10% of misconfigured firewall or 10% of computers not having a security upgrade when new exploit is coming could have a heavy impact on the business. Security job cannot be judged by the same criteria as InfoSys job. Use of “laundry list” is inappropriate. Hiring should be focused on subject matter professionals in one or two major aspects important for the organization. If there is a need to cover more subjects, then another professional should be hired. When it comes to senior and leading positions, candidates should be, again, technically proficient in one or two areas (thus potentially capable of navigating through some other technical aspects) and certified by leading organizations like (ISC)2 to provide wide spectrum expertise.
Our vision: Hiring security professionals by InfoSys rules is, at the least, unwise. The InfoSec job is all about security and cannot be treated neither by quantity nor quality as just an extension of system administrator’s job function. Find a professional and educate to your needs.
Management’s Technical Expertise
While some level of technical expertise is expected from someone in a high-level InfoSys management position, the primary focus is business, not technical side. US government puts MBA with strong communication and administrative skills as major requirement for InfoSys Manager position. The Government’s intension to avoid hard technical work and get by just by moving papers and money around is understandable. Having MBA for this kind of job is definitely sufficient. However, InfoSec is a completely different story. Erroneous decision making based on the lack of technical expertise will have devastating consequences in security. Security Manager should be technically professional (see previous paragraph), well educated (MS or Ph.D.) and certified.
Our vision: Strong technical education and certification are required for InfoSec management. MBA is not desirable.
On par with the business management
There is very popular opinion that InfoSec should always seek a good relationship, support, and understanding from business management for its planned activity. Should the security of an organization, be it large or small, always depend on limited technical expertise and understanding of security matters of a business manager? This is especially troubling today where the complexity of both security systems and the threats they face can frequently be beyond the understanding of a manager with a very basic technical education covered in an MBA degree.
Today’s business can no longer divorce itself from or ignore security issues. Companies all over the world are connecting to the Internet in the normal course of doing business. Global economy is based on the global access to resources. If Internet is crippled, the global economy will suffer. While remaining largely insignificant from business management point of view, a security event can pose a real threat to the company’s livelihood and other businesses as well. Thus, business and security having different goals and means of activity, are tightly bound together, and basically cannot be separated from each other.
Our vision: The goals of business and security have become equally important. Security does serve business as business serves security. The dominance of business management basically acceptable in InfoSys leads to insecure decision making in InfoSec.
Conclusion
If we want our InfoSec to function, we need to forget about our currently prevalent InfoSys approach. Each InfoSec function should be carefully researched and weighed in light of its primary goal – to protect. It is no longer a business goal; it is instead a security goal. How do you decide how much to spend on the security of your company? Any amount justified by an expert opinion and thorough researched is not a waste if it goes toward building up your company’s security infrastructure and systems. A single InfoSec breach can incur hundreds of millions of losses, or in some cases, bring an entire company to its knees.
Business management must understand that the information environment has changed drastically as compared to what it was 20, or even 10 years ago. We have vastly improved capabilities for sharing and transferring information, but at the same time we now face a large variety of new threats. Today, it is not uncommon to see an old managerial structure fail to respond, sometimes with catastrophic results, to an ever-escalating number, complexity, and strength of cyber attacks.
This new information environment requires new managerial structures and solutions.
We once tried to discuss and still consider as valuable our idea of having two independent governing branches in each “good citizen” corporation. One branch is a traditional business management (Chief Executive Officer) and another one is security management – Chief Security Officer (CSO). This idea might be viable as US Government has three complementary branches, which, on a balance, work well together as evidenced by the history of our country. Responsibilities of CSO should be extended to include not just InfoSec, but Financial Security as well. We’ve seen a lot of financial misconduct in the last several years, and only appropriate corporate governing structure with independent CSO and overall audit functions can put a stop to this misconduct.
About the Author
Born in Russia, 1974. Emigrated in US in 1990. Graduated from Brandeis University, MS in Computer Science. Co-founder of three Internet services corporations. Director of R&D in Internet gaming software company. Co-author of articles published on Internet and in professional magazine.
i would like to search for articles with analysis on cash flow in journals?
Articles regarding cash flow statements of management accounting or businesses from any country.
Try www.findarticles.com….it’s is free for many types of searches but it sounds like for what you need, you may have to go to the public library and get a textbook on financial management.
|
|
Project Management (Harvard Business Review Paperback Series) $19.95 Whether short-term or long-term, projects require the special management skills offered in this collection of articles from “Harvard Business Review”. Selections are organized into two sections on evaluation and implementation…. |
|
|
GMYLE Magicscan Mini Handy Multi-functional Portable Photo Picture Document Business Name Card USB Digital Color Scanner – Automatic detection of different contact information on business cards – High quality and accuracy of text recognition Specifications – Sensor : 300dpi with scanning width 54mm |
|
|
Mac OS X Server v10.6 Snow Leopard – Unlimited Client License $489.99 Apple Mac OS X Server v10.6 Snow Leopard Unlimited Client License. Mac OS X Server v10.6 Snow Leopard is a powerful 64-bit server operating system with new features and applications that make it easier for everyone in your organization to collaborate, communicate, and share information. Its simple to set up and manage, and its up to twice as fast as its predecessor, improving performance for… |
|
|
Microsoft Visual Studio Professional w/ MSDN Premium 2005 [OLD VERSION] $2,499.00 Microsoft Visual Studio Pro 2005 with MSDN Premium is one of the most significant developer tools available for building high-performance, multi-tier applications for Windows, the Web, and mobile devices. Designed for developers working alone or in small teams, Visual Studio Pro 2005 features integrated visual database tools for designing databases, tables, and stored procedures. You can also des… |
|
|
Blink: The Power of Thinking Without Thinking $6.95 In his landmark bestseller The Tipping Point, Malcolm Gladwell redefined how we understand the world around us. Now, in Blink, he revolutionizes the way we understand the world within. Blink is a book about how we think without thinking, about choices that seem to be made in an instant-in the blink of an eye-that actually aren’t as simple as they seem. Why are some people brilliant decision makers… |
|
|
Blue Ocean Strategy: How to Create Uncontested Market Space and Make Competition Irrelevant $13.90 Written by the business world’s new gurus, Blue Ocean Strategy continues to challenge everything you thought you knew about competing in today’s crowded market place. Based on a study of 150 strategic moves spanning more than a hundred years and thirty industries, authors W. Chan Kim and Renee Mauborgne argue that lasting success comes from creating ‘blue oceans’: untapped new market spaces ripe f… |
|
|
Leading Change $9.47 What will it take to bring your organization successfully into the twenty-first century? The world’s foremost expert on business leadership distills twenty-five years of experience and wisdom based on lessons he has learned from scores of organizations and businesses to write this visionary guide. The result is a very personal book that is at once inspiring, clear-headed, and filled with important… |
|
|
Business-Management: Time Management $29.99 Andrew Schwartz Business-Management: Time Management – Photographic Print |
|
|
Business-Management: Empowerment $39.99 Andrew Schwartz Business-Management: Empowerment – Photographic Print |
|
|
Business-Management: Leadership $39.99 Andrew Schwartz Business-Management: Leadership – Photographic Print |
|
|
Business-Management: Communication $29.99 Andrew Schwartz Business-Management: Communication – Photographic Print |
|
|
Business-Management: Delegation $29.99 Andrew Schwartz Business-Management: Delegation – Photographic Print |
|
|
Business-Management: Feedback $29.99 Andrew Schwartz Business-Management: Feedback – Photographic Print |
|
|
Business-Management: Listening $29.99 Andrew Schwartz Business-Management: Listening – Photographic Print |
|
|
Business-Management: Negotiation $29.99 Andrew Schwartz Business-Management: Negotiation – Photographic Print |
|
|
Business-Management: Paradigms $29.99 Andrew Schwartz Business-Management: Paradigms – Photographic Print |
|
|
Business-Management: Presentations $29.99 Andrew Schwartz Business-Management: Presentations – Photographic Print |
|
|
Business-Management: Sales $29.99 Andrew Schwartz Business-Management: Sales – Photographic Print |
|
|
Business-Management: Supervision $29.99 Andrew Schwartz Business-Management: Supervision – Photographic Print |
|
|
Business-Management: Telemarketing $29.99 Andrew Schwartz Business-Management: Telemarketing – Photographic Print |
|
|
Business-Management: Coaching $39.99 Andrew Schwartz Business-Management: Coaching – Photographic Print |
|
|
Business-Management: Goal Setting $39.99 Andrew Schwartz Business-Management: Goal Setting – Photographic Print |
|
|
Business-Management: Problem Solving $29.99 Andrew Schwartz Business-Management: Problem Solving – Photographic Print |
|
|
Management Matters: By the Experts (Book) $19.95 Features twenty articles about camp management issues that have been carefully selected from past editions of Camping Magazine. Topics covered include emergency-response drills, marketing, camp-parent partnerships, recruiting, business tips, and much more. The contributing writers are recognized as authoritative voices in the field of camp business management. Produced in cooperation with the American Camp Association. |
