In the emergency services world (Fire Fighting, Search and Rescue, Police, EMS, etc.), it’s important for a responder to be situationally aware while responding to an incident. The same should be true for your IT Team within your business.
As team members get focused on specific initiatives, or driven towards specific product release goals and dates, they tend to be concentrated on single tasks without understanding the larger picture and how those tasks may affect the organization’s security posture. Perhaps a database administrator is focused on getting a new database up for an application without understanding the access requirements for the application and inadvertently creates a user that has overly permissive access rights. At the same time, an app developer is being pushed to release a new feature that accepts user input in the application and they fail to implement appropriate input validation. Combined, these two issues could cause a significant vulnerability in the application. Perhaps the two issues by themselves don’t create a critical problem, but together they are much worse.
You may have dedicated IT security staff to help with your organizations security program. Although great, even this team must remember to focus on the big picture. It’s easy to get cut up on specific projects. Maybe the team just installed a new Intrusion Prevention System (IPS) and becomes hyper-focused on installation and tuning that system to really “get their money’s worth” out of it. Meanwhile, they are neglecting the fact that internal users have poor practices with regard to how they use their business-assigned laptops outside of the premises, allowing attackers to physically steal hardware. Or they let their kids play online games on the system and it gets infected with malware, or other remote access tools which allow attackers to steal company information while on a network where there is no IPS to protect it.
Organizational security should be approached holistically—from the perspective of an interconnected, complex system, where each sub-piece supports the other. In a way, it’s similar to our own bodies. The digestive system cannot function without the nervous system, circulatory system, and vise versa. The state of your business’s security depends on the security within your applications, your network, your users, your physical building, and that of the 3rd party services you use. It’s important to keep the big picture in mind and look at how all of these systems interact and work with each other, and how each link can affect the others.
Gerrit Padgham
Principal Security Consultant