One of the most common conflicts I see in corporate environments is between those who are responsible for information security assurance and those within the IT department that are constantly pushing the technology envelope.
The security officers, often coming from an audit, physical security or military background, are less comfortable with the technology, and this weighs heavily on their decision-making process.
The technophiles, on the other hand, want the latest products and want systems to work together seamlessly, even though security by definition sometimes means making things not work. There is also often an age gap. Do your people resemble the IT Guy and Security Guy I have often met?
IT Guy - Only has beta software on his machine, which runs with the cover off.
Security Guy - Newest software is four years old, doesn't need anything more fun than Solitaire.
IT Guy - "Fixes" the firewall by adding a rule for Internet chat.
Security Guy - "Solves" the modem pool audit by taking a scissors to all the loose flat satin cables.
IT Guy - Has his own DSL line and Proxy Server. Originally part of the new technologies research budget, he now sells Internet access to marketing.
Security Guy - Won't buy online. Does his research at Amazon.com, then picks up the book from Wal-Mart on the way home.
IT Guy - Radar detector allows him to achieve maximum speeds on the way home - the only time he isn't online.
Security Guy - Always drives five miles under the speed limit - except when he is being followed by the NSA.
IT Guy - Met all his friends online.
Security Guy - Has no friends.
This isn't a good guy/bad guy story. You have seen it in your organization: both are loyally working for the company, albeit by serving vastly different constituencies. However, when these folks don't have a strong working relationship, total corporate security suffers. While some in management see having polar opposites as creating a healthy set of checks and balances, that is not what I see.
The technologists, frustrated by the pace of the security decision making process, simply use their skills to go around the perceived barriers and sometimes create dangerously insecure systems. Those responsible for security may slow down their processes even more or make some arbitrary decisions if they feel those in IT are not heeding proper security precautions. These situations result in what I call the security reality gap - the delta between how management believes its systems are configured and the backdoors created by some within the IT department. Even in organizations that suspect the existence of this gap, they are often surprised by the magnitude of it - the exceptions seem to be the rule.
What needs to be done? The issues of organizational conflict are usually more challenging than mere technology, but you can attempt to reduce the differences between Security Guy and IT Guy. Security Guy can gain better technical skills. Generally speaking, the security people would benefit by upgrading their technical capabilities a level or two. Better TCP/IP knowledge, understanding how different services use IP differently, what different port assignments mean, what new IP-enabled applications are coming - all of this knowledge is particularly helpful. Also, staying current on changes in the client operating systems, browsers and applications can help head off trouble. The client, not the server, will be the weak link in the internal network. Not only does better technical knowledge improve your decision making, but from a social aspect it reduces conflict with the technologists by allowing a quick consensus on some of the issues.
On the other hand, many IT professionals need help to think more like the boss. Many of the technologists try hard to use their skills to solve problems when the user community had no right to ask for the solution. Empower IT professionals to handle gray requests that may cause gray security situations. Sometimes you just have to say no to a user request - even a highly placed user.
IT Guy and Security Guy don't always need to see eye to eye, but sometimes walking in each other's moccasins can help them work together. (Oh, and there are better games than Solitaire nowadays.)
RELATED LINKS
IBM exec shares views on net security
Network World, 08/18/99
The security specialist
Network World, 05/10/99
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
