First, this is not a security metrics article. So, if you are looking for that sort of thing, this is not it.
Do you remember Six Sigma? It has gone a bit underground, but is still big in manufacturing and distribution. Six Sigma is defined as executing a given business process with only as much as 3.4 defects or errors per million executions of the process. That is 99.99966% accuracy or higher. I have stated in previous postings that security requires 100% compliance. To come as close to 100% as possible, security is structured in layers (i.e., defense in depth) so that as long as each layer operates at Six Sigma levels or better and that those layers overlap, you should be able to achieve close to 100%.
One of the complaints you hear about the PCI standards is that a lot of it is focused on policies, standards and procedures and that documentation does not lead to security. Six Sigma experts will point out that if you do not have formally documented policies, standards and procedures, there is no way to achieve the necessary levels of consistency to ensure your organization’s security. Such documentation is the foundation on top of which you build everything else. Without a solid foundation, Six Sigma cannot be achieved.
Then there is the training involved. Six Sigma has taught organizations that training is another critical component if you expect to achieve it. If you are not training your personnel in all of your policies, standards and procedures and the rationale of why those are important, your employees are just going to blow them off. And if you are not training them regularly, then they will very quickly forget all about them. These people are key to the success of your security program because, for the most part, they are the root cause of why security has failures. Statistics point to the fact that at least 65% of all breaches were the result of human errors or other human causes. If you are not addressing the human factor in your security program, then you are doomed to fail.
I like to use the airline industry as a prime example of how well documented policies, standards and procedures can make a significant difference. Airlines have policies, standards and procedures for everything regarding the flying and maintenance of an airplane and they rigidly enforce them, they have to, to stay in business. Over time, airlines found that human error was reason for most of the devastating crashes. By instituting very rigid policies, standards and procedures, the airline industry was able to make air travel safer than driving your own car. It is the same with security. If you create a highly documented set of policies, standards and procedures just like the airlines and you rigidly enforce the following of that documentation, you likely reduce your risk of suffering a breach or other security incident almost down to zero. I say almost, because there are people out there that, if they set their mind to breaching your security, they will do whatever it takes to get the job done, no matter what barriers you put in their way.
So what typically causes security failures? There are a number of issues that lead to security failures, but these seem to be the most common.
- Someone cuts corners to get something done to meet a deadline.
- Someone disables a security measure or mis-configures it.
- Someone does not understand why a particular process is important and therefore just ignores it.
- Someone encounters an incident and does not know what to do, so they wing it.
The first three issues are all the result of limited or no training. If people do not understand their role and the reason why their role is important, they will very easily regard their part as inconsequential and therefore not important. And while you have defense in depth, if enough people take this attitude, the depth of your security does not matter.
This leads to the problem of keeping people engaged. This is one of the biggest problems in security these days. Do you realize that airports have been at the security advisory level of High since 2003? That has been over six years. Does anyone remember why or, for that matter, care? No, because people are no longer engaged. This problem is particularly true for people that monitor for security alerts. A lot of the reason that security technology initiatives fail is not due to the technology, it is due to the fact that the technology was not tuned properly to weed out enough of the chaff so that the real alerts would shine through. As a result, people start to ignore all the alerts because there are so many false positives to research before they get to the real issues .
The last bullet is a real sticky issue as it is exceptions to those well defined processes where every organization runs into trouble. It is the lack of definitive procedures for handling every exception where organizations fall apart. The rationale you hear for this time and again is, “we cannot anticipate every possible exception.” While this statement is very true, you can have a group of very well trained personnel that can handle those exceptions on a case-by-case basis. If this sounds familiar, it should. This is exactly how help desks are structured. For security, Level 1 researches basic security issues such as locked accounts, denied access requests, service failures and the like, Level 2 researches items that Level 1 is unable to resolve or get answers as well as notifying users of new threats. And those Level 3 people – they are the “propeller heads” that can do anything related to your security infrastructure. Typically, Level 3 people are the ones that implement and maintain your security infrastructure.
At the end of the day, all of your security technology is only as protective as the people that interact with it. A lot of organizations keep searching for technological solutions to solve all of their security problems. Unfortunately, they miss the human part of the equation and the fact that it is the humans that are fallible and will be the most likely reason that all of their precious technology gets defeated. So, get your documentation in order, train the staff until it hurts and enforce everything.
PCI Guru 