Because I'm all about the "good enough."

Friday, January 13, 2012

Eating the security dog food.

I kept meaning to get back to Rafal Los's post on "The God Complex" -- and answer his question.

Are you an exception to your own security policies?
To which my answer is (was): no.  In fact, as a CISO I tried hard to follow every policy.

Why?  Because if it was too annoying for me, if it kept me from getting something important done, then it was probably obstructing other people too, and I should change the policy.

Admin rights?  There should be policies governing their access too -- arguably even more of them, because the more access you have, the higher the standard you should be held accountable to.  For their own protection as well as that of the users, admins should be able to demonstrate that there are checks on their powers and activities, and that they can be open about what they're doing.  It's harder to be accused of nefarious activities if you are completely above-board, show that you're willing to be subject to appropriate limits, and make a point of relinquishing any sole powers you might have.  Call it CYA, call it leading by example, whatever.  It's ethically important.

Not only is it the right thing to do, but it also helps in user relations.  A lot of security is about telling people that they're Doing Something Wrong.  And if you're going to be telling them that, then you'd better be doing things Right yourself. 

Now, constructing things so that everyone has accountability checks all the way up to the top can be harder than you think.  It can end up being "turtles all the way up," so to speak.  In every organization there's going to be an Ultimate Decider, and the Ultimate Decider is always someone who is too busy to do that deciding.  He or she will want to delegate parts of that responsibility back down the chain, leading to conflicts.  For example, someone can end up being deputized to submit and approve requests rather than having those broken up into separate duties, or be empowered to monitor the activities of their own bosses.  Sure, there will always be exceptions to policy, but the point is to design them so that they still have checks and balances on them -- not to ignore them and let them be gaping holes in your controls.  They need to be documented five ways from Sunday, approved by as many people as you can hunt down, and changed back to normal as soon as they're no longer necessary.

I'm sure everyone agrees that those with power need to be held accountable for that power, whether it's a government executive, law enforcement officers, the military, or any other person in a leadership position.  In security, you don't need to be a leader to have power, but you still need to be conscious of what you can do, how someone could abuse it, and how you can make sure you're not the one who will do the abusing.  You've got to protect the enterprise from external and internal threats, but one of those threats is you.  Go look in the mirror and start threat modeling.