When I started to work in this industry, I thought IT security was highly technical and deeply professional. Or vice versa. As a fresh graduate, I felt some verve to work where things happen. And to be honest, I expected some romantic mystique as well. Nowadays, IT security is driven by fears and lawyers. When a CEO reads about a huge zombie network, he will order the security team to deploy the Anti-Zombie appliance. When the government reads this article, in fact, it will create a new law that will force companies to get anti-zombie tools. OK, maybe I’m exaggerating a bit, but we are being micromanaged on a daily basis.
Featured Download: Social media access at work. Do your employees know the rules?
Additionally, we aren’t the most popular guys in the company. In fact, we are everything but popular. We are pulling back the business from adopting new technologies because of security reasons. And in fact, new technologies are typically really not as secure as we would expect. But at the same time they are key factors of competitiveness. Difficult situation. What is more important, the COBIT or the company? What does security mean anyway?
Let me quote Kris Buytaert from the DevOps movement: “A good security policy prevents people from ruining their business. A bad security policy prevents people from growing their business.”
I do believe that IT security is in a crisis. We have more and more conflicts with businesses day-by-day. On one hand, they need more security, but on the other, they don’t need more control. It is a constant conflict that poisons our lives.
Do we have a possible solution? Yes. Put more emphasis on monitoring! You can elevate the level of security with monitoring, a course of action which has many benefits. Less cost, less bureaucracy, higher staff morale and agility, and of course greater security.
Monitoring can replace control in many cases because security is about people. And control tools cannot do too much with the “human factor,” i.e. human intelligence and silliness. Have you heard about a single sales representative leaving the company without the complete customer database? Or did you know that around half of employees use the corporate password for their private registrations? Or just think about a classic APT attack with a touch of social engineering. We have to face the fact that the human factor is the most risky element with regards to the network. Control tools are very appropriate against automatic attacks launched by machines, but they fail to protect against people.
What is my IT security vision? Just think about real life! Have you ever set up an electric fence around your garden? Are you wearing a bulletproof vest? No, for either of these would be very uncomfortable and expensive. Only your diamonds are kept in the strong box. You use hard control only in the most risky situations. In all other cases, you have to trust visibility and law enforcement.
Going forward, IT security needs greater visibility and more effective penalties, a change which can be effected by striking a new balance between control and monitoring. I believe this is the next big step in the evolution of IT security.
By Atilla Kiss, Marketing Leader, BalaBit
About BalaBit
BalaBit – headquartered in Luxembourg – is a European IT security innovator, specialized in advanced monitoring technologies. It has sales offices in France, Germany, Hungary, Russia, in the UK and the United States and partners in 40+ countries. The main development centers are based in Hungary. BalaBit has customers all over the world including 23 percent of the Fortune 100 companies.
The company is widely-known for syslog-ng™, its open source log management solution, used by more than a million companies worldwide. This significant user base provides a solid ground for the business expansion which is fueled by Shell Control Box™, a pioneering development for the rapidly-growing niche of privileged activity monitoring market.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.