We have written a lot on this BLOG about our security assessments and the results that we typically see. While there are certainly unique discoveries in every assessment that we do, (holes left open, passwords disclosed, and other careless mistakes made by overworked IT staff), there are often simple things left unpatched. I do believe that the IT staff knows of most of the technologies on the market to correct vulnerabilities, yet, they may lack the skills necessary to implement them. Our research has illustrated that there are often other reasons as to why the implementation is lacking. And that is the implication that executives are resistant to change. For whatever reason of this implication, not enforcing these procedural changes could mean that the organization is vulnerable and at risk of a massive data breach.
No One is Asking for Change
You will be hard pressed to find people asking the IT department for tighter security controls that affect them and how they do their work. So, it is likely that if a request comes from the executive office to implement tighter security controls, what they are really wanting is to implement tighter security controls on everyone else and in the background. When we review the way that people authenticate to the network, we often see three different worlds. We will see how IT authenticates, how the general end users authenticate, and then how the executives authenticate. In each of these differences lies a huge vulnerability. An attacker only needs to gain a foothold into the network of any user. Thus, having variances means having vulnerabilities. Why are these three methods allowed to exist? The reason is simple, no one wants to burden their bosses and IT does not want to deal with the troubled tickets that result from tighter end user controls.
How to Implement Changes
So how do you implement the necessary changes when there is resistance, real or perceived? By taking a stand for the network you are responsible for.
If your job was a delivery driver, you would be responsible for the packages in the truck as well as safely driving the trucks. If you left the doors unlocked and got robbed or if you drove the truck into a guardrail while texting and driving, it would likely result in you losing your job. You failed in your responsibility so you will be held accountable for those actions.
It is no different in IT. You are responsible for the network. You are supposed to protect the digital assets of the company. And if you do not force the users to live up to a certain standard then you are allowing an unsafe practice in which you could be held accountable. Most IT managers that are victims of a breach are either fired or resign within a few months after the breach occurs. This is because someone has to be held accountable, and rightfully so.
If I employed an IT manager and she allowed an unsafe practice without forcing changes, I would fire her for dereliction of duty. It is that simple.
Fix the Messaging
It’s your fault if you are failing to get the necessary changes implemented. You are not telling the right story. Fix your messaging and sell the story a different way. You must take a stand for the security of the network which you are responsible for. Stop letting excuses prevent you from fixing the issues. There are tons of excuses out there - no budget, too hard to change, getting the proper buy in. I don’t buy those.
If your roof was leaking, would you wait until the next fiscal year to fix it? If there is no budget it is because you are probably spending money on the wrong things.
If changes are too hard to implement then you need better advisers who can do it painlessly.
People don’t buy what they don’t understand. If you are trying to implement security controls to protect the driving force of the business, the IT infrastructure that makes doing business possible, you need to get the messaging right.
There are a ton of books on this. I would suggest you start with Simon Sinek’s Start With Why. Spend today trying to get the buy in necessary to get your network protected.