What are good ways to educate about IT security in a company?

Question

I work in a company where security is a "fire once forget forever" concern. The administrator sets up a solution and seldom follow up and maintain it. As a result, we've got a security policy that's kind of Swiss-cheesed: full of holes.

For example:

password security policies requiring changing every xx days with no backtracking, but accounts whose passwords are not changing handed to anyone to access special folders and database, even interns who then leave with the unchanging info
desktop and network antivirus, but no policy against USB drives. So far most viruses are caught and the culprit scolded, but one time with a 0-day is enough...

I have the feeling that security is a cosmetic concern here; the management want to be seen doing something, but is not doing the right thing, or not everything that should be done.

I thought about gray-hatting to demonstrate the problems in a dramatic way, but I don't think it's the right way to educate people about security in this context (perhaps in a completely security-focused company where everyone gets the situation).

So I'm wondering about a good way to spin the need for a more resilient security strategy. I'm not in a position to point out blogs and direct experts advice, because management doesn't talk English.

I was thinking about doing either an elevator pitch with some dramatic claims or a ten minutes demo of existing problems.

What do you think about these ideas? Are there recommended ways to point out security flaws when auditing for a client so as not to alienate them by basically saying "that's an half-bottomed work you did"? Are there particularly effective demos (just launching a firesheep? but that borders on gray-hatting) you'd recommend?

See also http://security.stackexchange.com/q/157/33 (but not quite duplicate) — AviD, Nov 21 '10 at 13:46
@Traroth: not exactly, but there's a storm coming, and i'd prefer not to be in the middle of it without protection. — samy, Nov 23 '10 at 09:56

score 10 · Accepted Answer · answered Nov 20 '10 at 02:28

What has worked on several occasions for me is to stick the following chart in front of management:

alt text

Run down the list of threats (left column) and ask if they believe if any of those type people described may harm the business.

If so, then you may have won a battle. Now you can describe what is needed to address each of those threats.

@atdre had a great comment about this chart on a different question:

I don't like this because it doesn't convey the power of collusion or conspiracy. The underground community and underground economy puts all of these guys in the same room together and gives them tools to trade. – atdre`

So you may want to extend the list of threats to include communities.

I'd be tempted to start off with just the internal, non-hostile attacks. "Did you know that noob in sales might be costing us $xM?" — , Nov 20 '10 at 21:33

score 9 · Answer 2 · answered Nov 19 '10 at 13:32

Launching a "simulated" attack against your company's network should only be done with explicit, written permission of senior management based on an understanding of the scope of your work and agreed limitations on the results of your attack. Otherwise you risk getting yourself fired for sabotage, espionage, or just plain violating local rules.

But how do you get such permission when there's no awareness of the problem? That's where your "elevator pitch" idea is a good one. I'd recommend taking it to the relevant people in the company hierarchy in the correct order, starting with the IT staff before you go to the management/C-level/directors. The management have delegated responsibility for day-to-day operations to the sysadmins, who are the people who will ultimately have to make any changes. Presenting your suggestions as an edict from on high will only serve to alienate the people whose job it is to implement those suggestions.

your idea about presenting the idea in the "right order" is a smart one. I always assume that it's always management that's the problem, but sometimes event the IT staff is not aware of the problem and simple rules at the IT level could help mitigate problems — samy, Nov 23 '10 at 09:55

score 2 · Answer 3 · answered Nov 19 '10 at 15:40

The conversation about security with the people with the money is always a conversation about risk. Do not do over-dramatised elevator pitches, or run around screaming about the end of the world. This is an easy way to become easily discredited and generally ignored. Instead, talk to the business about what they're trying to achieve with their systems, and then present the current risks they're carrying as a result of their (lack of) security controls.

If you can convince the business that they're carrying a risk that will cost them £10 million pa in incidents, that you can eliminate with a £100,000pa control, it's a no-brainer. They'll jump at the chance to cheaply reduce their total risk.

Everything that the business spends needs to be justified in the context of the business. "We have no antivirus on our public Windows-based webserver" is meaningless. "We're vulnerable to have our service disrupted about once a year costing £2million each time" is meaningful.

Once you've got your fancy new set of security controls built, the challange them is keeping them effective. Security is about process as well as technology. Once you've convinced the business to spend some money reducing their risk, the problem then becomes altering the perception that security is something you buy. In actual fact, it's something you do.

you're very close, but you're missing out on one very important aspect: risk. "Vulnerable to disruption of £2M" is also meaningless, unless its something like "there is a 50% chance of £2M worth of disruption", that is a risk value of £1M that business risk management knows how to handle. (Of course, HOW to define the actual risk is another [question](http://security.stackexchange.com/q/403/33) ). — AviD, Nov 21 '10 at 13:56
Isn't it the case that the likelihood is addressed by the expected frequency of occurrence? Likelihood is meaningless without a timeframe (The likelihood of me going home in the next 6 hours is high, but the likelihood of me going home in the next 2 minutes is low) - in my experience the business equates 'likelihood' with 'how often is this going to happen this year'. — growse, Dec 14 '10 at 16:21

Alexis Dufrenoy · Answer 4 · 2011-05-14T14:00:06.023

One major argument: Security disasters are not questions beginning with "if". They begin with "when"!

The right security policies will not completly eliminate the risks, because it's impossible. But it will drastically lower the risks, and so, the rate of disasters. It's a matter of investment and return on investment, really. Spend money so you will lose less. Thinking must be the same as for quality insurance.

score 1 · Answer 5 · answered Nov 23 '10 at 16:40

You have to quantify expected payout: risk damage * risk likelihood.

This assumes the person you are talking to actually cares about the business. That might sound cynical, but consider this: security has a cost in money, training, frustration. These reflect immediately on the person implementing increased security, but security violations and disasters might not reflect on the person. If this person's boss only sees the negatives (cost) to security and doesn't blame people for disasters, then it doesn't make sense for this person to increase security.

The whole Dilbert Pointy-headed manager really stereotypes a certain type of manager. The kind of manager that is very good at not getting blamed for anything, but letting the company go down in flames.

Basically, if you are up against this kind of dysfunction, your pitch needs to concentrate on how it makes the manager look bad, and how to increase security without making the manager look bad for wasting money on security ("firewalls? we've been getting along just fine and he goes and wastes thousands of dollars").

What are good ways to educate about IT security in a company?

5 Answers5

Linked