While it is hard to argue that the general level of security competence is increasing and better security tools are available every day, why is it that security remains a problem?
In our experience, there is a particular class of security problems that is becoming more frequent, not less. The problems we're referring to are caused by people, not technology. In particular, we're referring to problems that occur at organizational boundaries, where different business units or different technical specialties intersect. Inevitably, major security problems can be found along these organizational fault lines.
The Problem
These exposures exist because too often, IT professionals focus on their narrow areas of expertise and they don't spend much time thinking about where the application meets the infrastructure. It is not an unfair characterization to say that because of turf issues, funding battles, and pressure to do more with less, responsibility is fragmented.
System administrators often look only at their immediate area of responsibility. Application analysts focus on the controls available to them inside their application and don't think about the protocol that travels across the wire. Server system administrators don't look into application space because their performance is measured on uptime and host security; after all, aren't those apps guys minding their own store? The database administrators are simply trying to keep the performance up for the next five applications that are scheduled to use the same database server. Network engineers are worried about getting the packets to their destinations. And frequently, security engineers are focused on firewall rule changes and updating anti-virus signatures.
Especially in the security realm, new and evolving systems require broad analysis. Narrowly focused specialists miss the weak protocol, the overloading of authentication mechanisms, or the accommodation for one system that destroys the security of another. Only a generalist, whose scope is the enterprise context, can span the gaps that exist between the focus areas of a traditionally organized IT department.
It is ironic that the critical missing skill, the ability to step back and see an application in its full environmental context, so often attracts the organizational immune system response. Time and again we've seen the person with the global view accused of "not being a team player."
The Solution
Obviously what is needed is a generalist - but a proliferation of subject matter expert "generalists" just starts the cycle all over again. Where then do generalists come from? Whether they are called architect, systems engineer or senior analyst, the IT generalist has developed expertise in a number of areas. Usually they have spent part of their career as a system administrator or systems programmer, gaining the knowledge needed to understand fundamental systems principles like authentication, authorization, distributed services and email. Many have been application developers or database administrators. All have programming experience. Lastly, they have network engineering experience at least at the LAN level, providing them with a necessary understanding of protocols, topology and performance characteristics. Gaining this breadth of knowledge is not an overnight task, so the generalist is often a mid-career or later employee.
Where does a generalist fit into the organization? We have seen them in security groups, in enterprise architecture groups, and in project management groups. These positions help to minimize the immune reaction since they are inherently cross-functional in nature. By serving in groups that are constantly exposed to all of the projects in the enterprise, they also are able to maintain their knowledge of how 'everything' works.
The Last Word
The combination of people overloaded with pressing day-to-day responsibilities coupled with a healthy measure of territoriality creates visible fault lines in many organizations. Historically, since most IT environments were largely self-contained, these fault lines were masked to the outside world. In today's IT environments, with extensive Internet, ASP, and business partner connectivity, these same fault lines are all too apparent and readily exploitable. An IT generalist may be what you need to implement your 'seismic upgrade' and protect your organization.
Jonathan Gossels is president, and Mark Mellis is a consultant, with SystemExperts Corporation (www.systemexperts.com), a provider of network security consulting services.
