2004-11-30

Security: Soft Sell or Hard Sell?

To the average industry-certified, Slashdot-reading, tried-and-true uber-geek InfoSec analyst, the notion of a "Soft Sell" in Security never crosses the mind. Many have never even realized there was an option here. Why should you implement egress filtering on that firewall? Because it's the secure thing to do, you're putting our organization at risk without it, and because I'm the Subject Matter Expert (SME) and I said so. I have to admit, I was guilty of this until very recently. But experience at my present position has opened my eyes to the possibility that this approach may be far more detrimental than helpful.

First, let's consider exactly what it is I'm talking about, for those who might be scratching their heads as they read this. As InfoSec analysts, we are tasked with the daunting job of convincing users and other IT professionals to follow security best practices as they go about their business, among a litany of other responsibilities. In so many cases, there is a pre-existing behavior that is at odds with information security. Make no mistake, security takes effort, and often times the professionals and users in question make no connection between getting their job done and information security practices beyond the fact that the latter inhibits the former. This makes our job one of coercion: we must convince people to do things differently.

In my experience, most security analysts and managers see repercussions and disciplinary action as the tool of choice to push their InfoSec agenda. This is what I refer to as the "hard sell." Do it, or else...

There is an innate problem with this approach, and every security manager and analyst has seen it, even if they don't realize it. The fallout of such an approach is a deep-seeded annoyance of anything and everything InfoSec-related by all who are affected by this tactic. It is generally accepted in security that "everyone hates InfoSec," and it's a "necessary evil." The problem here is that, when some hard and fast doctrine isn't in place with repercussions clearly spelled out, managers and analysts have a very hard time getting anything accomplished to promote the goals of Information Security.

While users and other IT staff are often loathed as unwilling and uninformed partners by many in Information Security, believe it or not many of them are reasonable people. They may be uninformed, but whose fault is that? By simplifying the problem of Information Security and presenting it in a clear and concise manner, staff can be educated on why we implement certain security policies. This is user education, and many organizations are already active participants. This plays a major role in getting users to follow good security practices without holding a hammer over their head, or the "soft sell." However, this concept is more corporate diplomacy than a one-way communication of the evils of the world to a group of users and IT staff. In order for this to be anything other than "yet another corporate directive," we must give a face and personality to the problem. We must interact with users on a one-on-one basis and simply be nice. Ask them what their major challenges are with information security policies. Ask them how your InfoSec group can make their job easier, while keeping the good security policies you've put in place. They may not know much about InfoSec, but I'm constantly amazed at the quality of feedback I get from users on the security topics that directly affect them every day. These people are experts at doing their job (usually), which means they know exactly where the pain points are. Perform serious follow-up work after receiving a suggestion, and get back to the user to let them know a timeline for implementing their suggestion, or why what they want is impossible. Don't just say "no" from the onset - this will discourage further dialogue.

Imagine if the United States didn't have a State department, and just went about the world demanding things while wielding the big stick of a global superpower without actually talking to anyone (regardless of what you may think of the current administration, there is still an astonishing amount of diplomacy that happens there). This is the state of Information Security at many organizations, and it is holding back progress towards a more secure environment. While it is impossible to be personal to each and every individual at a large organization, it is possible to do this with key decision-makers and managers in whatever your company's line of business is, and their positive attitude towards InfoSec will trickle down. Popularity is linked to momentum, and once you get this momentum going, you will see a rapid improvement in the willingness of your users and fellow IT staff to help your group accomplish its goals. I have seen it, and I am now a believer. But I will caution you against over-reliance on this tactic: there is still a time and place for the hard sell, and you must be willing to use it. Just make sure it's your well-organized Plan-B, and is used sparingly.

1 comment:

Kevin Blanchard said...

I am guilt of it too,lol

though when engineering a security solution I am usually told, to come up with the BEST solution but then usually inject a gem like "..that will not interrupt workflow on the network and be transparent as not to interfere with the users"

Security always seems to be an uphill battle, esp with in a large company infrastructure