When Dr. Gene Spafford and I wrote the original version of the Tripwire software program in 1992, it was to help solve the security problem of how to restore systems to a known good state after they have been compromised. But since then, my area of passion has moved from computer security to IT operations.
I believe a large part of this is because, unlike in computer security, the prevailing belief system in IT operations is not one of victimhood, but one of competent paranoia. Having studied high performing IT operations and security organizations, I have come to conclude that when you have repeatable and verifiable IT operational processes in place, it is much easier to embed security controls and by doing so, simultaneously achieve operational and security objectives. In other words, solve the operational problems, and you solve the majority of security problems as well.
However, if this is indeed the case, why is it that the press continually focuses on those companies that have succumbed to the usual IT security incidents, such as lost personal data, security breaches, system outages, viruses and other threats?
Or maybe the better question is, when reporting on security failures, why isn't the press asking the really tough questions? For instance, in the FBI study that polled 239 companies, they found that 71 percent reported unauthorized access to systems by insiders. Fine. All that this reveals is that humans often have means, motive and opportunity to do things they shouldn't. This is not news.
The real story starts to get told when you ask, "How effectively did the IT security staff perform in these organizations?" Was the loss even detected by security, or was it detected by the customer? Was security asleep at the wheel, and if so, how was all their headcount allocated and capital budget spent? What were they focused on that they missed the big risks?
In other words, if unauthorized access is so prevalent in IT systems, where were the security people who are actually paid to prevent, detect and correct them? In the journalism industry, there is a saying, "If it doesn't bleed, it doesn't lead." In journalism, it may be justifiable to focus on the victims. However, when management gets paid to achieve results (and this includes IT security), becoming a victim is rarely a winning strategy, and definitely not worth emulating.
In operational research and decision sciences, we study those who are doing things right, and try to understand what they're doing differently that results in their outcomes. The goal is then to capture and codify the behaviors so the rest of the industry can replicate their successes.
I was part of the research team that completed a breakthrough study at the IT Process Institute (ITPI) which recently released its findings on high performing IT organizations, called the 2006 IT Benchmark Performance Study. The goal was to uncover the link between controls and performance, both from an operational and security perspective. The results were stunning: There exists a group of high performing security organizations that outperform their peers by a factor of five to seven. From a security perspective, here's what happened when these organizations had a security breach:
· When high performers had security breaches, those security breaches were far less likely to result in loss events (such as financial, reputational and customer). Loss events in high performers were 29-percent less likely than in medium performers and 84-percent less likely than in low perfomers
· When high performers had security breaches, they were far more likely to detect them using automated controls. Compared to high performers, medium performers were 60-percent less likely to detect a breach through automated controls, while low performers 79-percent less likely to do so. In other words, high performers had the right controls in place to detect security breaches; low performers found out from external sources (such as customers and newspaper headlines).
· When high performers had security breaches, they detected them far more quickly. High performers had a mean time to detect measured in minutes, compared to hours for medium performers and days for low performers.
To summarize, security breaches in high performers are far less likely to result in a company loss event, far more likely to be detected by an automated control and are found far more quickly. These are the security organizations that are clearly not asleep at the wheel, as they are doing a better job at preventing, detecting and correcting security breaches!
Interestingly enough, the researchers also found that high performing security organizations were awarded with three times more budget than medium and low performers. They are creating such demonstrable value for the business that their requests for headcount and capital budgets are being approved. Contrast this to many security organizations that can't get any additional budget approved (this is what we often refer to as the "weekly car payment plan").
What were the high performers doing differently? We found two controls that were present in every high performer, and absent in every medium and low performer. These two controls seemed to make the difference, far more than the other 63 COBIT controls within the six ITIL process areas we examined:
1. They actively monitor systems for unauthorized change
2. They have defined consequences for intentional, unauthorized changes
When I see organizations that implement these two controls, I see an organization that has a "culture of change management." The second control states that there is tone at the top, stating that the only acceptable number of unauthorized changes is zero, and that management will take necessary action to keep unauthorized change from happening again. The first control states that unauthorized change jeopardizes so many objectives, both operational and security, that we must put technical controls in place so we can detect unauthorized change before it causes a catastrophic outage or a security breach.
What the research seems to indicate is that unauthorized change, whether accidental or malicious in nature, pose more of a threat to IT than we ever suspected. But, more importantly, the rewards for mitigating those threats also benefit IT operations and security is also far higher than we ever suspected.
Over the years, we've found that certain processes and controls have catalytic and sustaining properties, meaning that the value they add demonstrably exceeds the cost to implement and report out on them. Change control is one of those processes. Knowing what change has taken place allows IT to quickly recognize unauthorized change and thwart its potential damaging affects on security.
In order for IT executives to sit at the strategic business table, they must first have implemented an effective change control process. Security must be measured not just from the outside, but also from the inside. Change control must be integrated into daily operations to prevent security breaches, helping reduce the percent of security incidents that result in loss events. It can also expedite successful conclusions to security investigations. Until IT understands this concept, the organization will remain less than half secure, remain on the brink of self-sabotage, and too easily prone to being a victim.
About the author
Gene Kim is co-founder and chief technology officer of Tripwire, Inc. He is also co-founder of the IT Process Institute and co-author of the Visible Ops Handbook, published in 2003.
