Taking Care of Your Business

Welcome to the fourth blog in our special series, Mitigating Gartner’s Network Security Worst Practices.

In this post we’ll cover the worst practice of “Insufficient Focus on Users and Business Requirements” which Gartner also fondly calls “That’s what our policy says”[1]. According to research, “Security projects that are owned exclusively within the security team face the risk of neglecting business and user requirements, which are too often seen as constraints.”

I believe Einstein said that “Two things are infinite: the universe and human stupidity; and I’m not sure about the universe!” Security teams are often guilty of taking this concept to the extreme, assuming business users will do stupid things which only a strict security policy can prevent. However, it does not take an Einstein to understand that, as crazy as this notion may sound, security is here to enable business, and not the other way around.

While not always easy, I believe this worst practice can be much improved by taking the following steps:

1. Put yourself in the business users’ shoes. Retail companies have been conducting “mystery shopper” exercises for years to understand the shopper experience from the shopper’s point of view. Try to go through the same steps a business user does to perform a certain task. If you are frustrated by the experience, chances are so will he or she be. See if you can remove obstacles without sacrificing security.
2. Collaborate early with business users. Unfortunately, security is all too often an afterthought which is “bolted on” once an application or business process has been finalized. Forward looking organizations are extending the DevOps model to include security, a practice often dubbed DevSecOps. Call it what you like, it basically means security teams are involved early in development projects so that they can see how these applications should be secured while still in the design phase.
3. Ensure visibility into the business impact of security operations. With the complexity of today’s networks and applications, it’s very difficult to understand the impact of a security change (such as adding a firewall rule) on business applications. This complexity and lack of visibility can have some serious implications including:

• • Outages to business services caused by misconfigurations.
  • Weak network access lockdown since access is never removed for decommissioned applications for fear of breaking something that is working.
  • Slowing down or even blocking productivity because of the inability to understand how business requirements translate at the network level.

To summarize, as with avoiding most of the worst practices, we believe security teams should ensure they adopt the right mentality (think meeting every morning, holding hands and chanting “The end user is not the enemy”), incentivize the right actions (read the Gartner report for more great ideas) and make sure to have the right solutions to align security operations with the business.

About the Mitigating Gartner’s Network Security Worst Practices Blog Series

In this special blog series we’re taking a deeper dive into the network security worst practices identified by Gartner, and are examining how each of the 9 worst practices that we specifically address can be mitigated using automated security policy management.