Articles for July 2020

Importance of Security Frameworks

If I had to build an IT organization from scratch, I would absolutely make an applicable security framework the backbone. Why? A security framework (such as NIST Cybersecurity Framework or CIS20) is a methodology featuring security controls that ensure not just a well-balanced security program, but also a well-balanced IT program.  

Security is Woven into Every Functional Area of a Company

My understanding of the makeup of an IT department came atypically.  I was in the United States Air Force when Uncle Sam desired that I become a network engineer. At that time, I couldn’t tell you the difference between an IP address and a subnet mask. It took me a couple of months to understand how those in the help desk, desktop team, virtualization engineers, Linux administrators, Windows administrators, network engineers, security engineers, and project managers all contributed to a functioning Information Technology organization. I observed that while all the verticals work together, they only interact at the edges of each particular service. The lone exception was security.  Security is integrated into each and every other discipline, and for good reason. 

In other words, security is the critical common thread. So, while not a conventional thought, but maybe not too surprising either, all teams across the IT department can benefit from a security-oriented tool. Specifically, I’m referring to security frameworks. Typically used to identify gaps, a security framework usually contains more than 100 controls that strengthen across the various areas of an IT organization. Implementation is typically driven by compliance, but, sadly, most organizations look for the minimum effort to save on time and investment. However, it’s those organizations that look to increase their security posture, and review a security framework to exceed the controls, that separate themselves from the vulnerable.  

Not Just Any Security Framework: The Right Framework

It should be noted, not all frameworks are created equal. Some more closely resemble a speed bump than a high jump event. HIPAA/HITRUST is one of these low-bar frameworks. To illustrate, the password requirements for HIPAA is that an organization must have a password policy. That’s it. No details on what that password policy should consist of with regards to complexity, rotation, etc. Other frameworks have a narrow focus, like NIST 800-171 or PCI-DSS. PCI-DSS, well known for protecting credit card data, only pertains to Cardholder Data Environments (CDE) and many organizations ignore security practices in other areas of their network. NIST 800-171 likewise focuses on Controlled Unclassified Information (CUI) and does not apply to the entirety of the network. Choosing the right framework would positively impact the outcomes.  

One of my favorite frameworks, because of how it is organized, is CIS20. CIS20 comes from the Center for Internet Security, also known for publishing the CIS benchmarks used as system hardening standards for various devices and operating systems. CIS20 is broken out into 20 high-level controls supported by a total of 171 sub controls. This framework further breaks the 20 controls down into three different sections: Basic, Foundational, and Organizational which illustrates the impact of those controls. Additionally, version 7.1 introduced implementation groups to assist with prioritization of roll out. The net result is that CIS20 presents a pretty self-evident roadmap to ensuring your IT organization is secure. 

Security Frameworks Lead to a Better IT Department

What’s not so apparent, is this approach also helps help focus on and develop different areas of IT support that your organization could be expecting from you. Asset Inventory, Administrative Privileges, Monitoring, Email and Web Browsers, Data Recovery, Data Protection, and Incident Response are all addressed by the CIS20 framework. While it also covers more obvious security functions like Firewall, Security Awareness Training, and Vulnerability Management; focusing on that previous list will help address the needed services and structure and IT organization should leverage to offer a quality service to your organization. 

Why would a security framework hit on some of these elements of IT delivery?  It has a lot to do with a basic security concept called the CIA triad. CIA stands for Confidentiality, Integrity, and Availability. All three of these elements are considered critical to security. Losing one of these elements causes the three-legged chair to fall. Importantly, these goals should sync with the goals of an IT department as a whole. Making sure that services are available and reliable should be equally weighed with protecting information and ensuring the integrity is not lost.  

While opportunities don’t come around often to build an IT organization in a greenfield scenario, leveraging a security framework can help provide a quick report card on gaps in your IT services. Based on the relationship between security and IT as a whole, closing these gaps will not only elevate your security posture, but also the level of service your IT department offers your organization.

IT is no longer a Utility

I walked into a meeting with a senior executive who brought us in to solve issues their IT department were trying to overcome.  The simplified request was, “I want to walk into the office in the morning and for it to work, like turning on the light switch and the light turns on.”  This is a very understandable ask but the response has been changing over the past couple decades.

ball bright close up clouds

When Information Technology came to the business table in the 90s, it was very straightforward requests, we want our computer to turn on, print, and if we were lucky, connect to the internet through a dial up modem.  As the internet grew in size and businesses became dependent on it’s access, the ask of the IT department grew as well.

Most IT departments are expected to not only ensure the computers function, print, and connect to the internet but store important files, keep hackers out, backup key systems, manage email systems, provide video conferencing, hosting web services, orchestrate systems managing production devices, and anything else that falls under the umbrella of technology.

So, why can’t the IT department just make it work?  They can.  First you could have very different definitions of ‘make it work’ from varying teams within the IT department and secondly, you are allowing a great resource to go untapped in your organization.

Over the past decade, the technologies under IT have gone from ‘working’ to having different flavors of ‘working.’  They are no longer a utility that offers a one dimensional level of support.  From how your organization collaborates to prioritizing systems and services, the IT department can really be an influential voice at the business table.

The engineers within your IT department often know of many emerging technologies and shifts in products that can help the operations of the business get to the next level. Bringing business problems to their awareness allows them to provide feedback on not only decisions on how much RAM to have in a new server upgrade but which software solutions can not only solve the problem but ease and speed up the workflow.

An example would be surrounding a place to back up important documents to include policies and emergency procedures. If the decision was made at an executive level and told to be carried out by the IT department to simply create a server to store data where the files are manually copied by the user to this server, it could be done. If the IT department was brought in on the issue, likely a document repository solution like Microsoft Sharepoint would be recommended (perhaps in the cloud). This would not only allow for these documents to be ‘backed up’ to Sharepoint, they could live in Sharepoint and allow for multiple users to be making changes to the same document, keep version histories, be checked in and out for offline modifications and then even become embedded in an internal policy website for all employees to access.

Creating an environment in which a representative from IT is at the decision making table allows them to better set up the systems to support your business initiatives and allows them to offer solutions to problems that arise. It should no longer be categorized as the decaying term of utility but as the business enabler they are.