Information security policies and corresponding controls are often unrealistic. They don’t recognize how employees need to interact with computer systems and applications to get work done. The result is a set of safeguards that provide a false sense of security.
This problem will continue to grow due to consumerization of IT: the notion that employees increasingly employ powerful personal devices and services for work. This trend makes it easier for the employees to engage in practices that make their life and work more convenient while introducing security risks to their employer.
Corporate IT security departments need to recognize that employees:
- Use personal mobile devices and computers to interact with corporate data assets.
- Take advantage of file replication services, such as Dropbox, to make access to corporate data more convenient.
- Employ the same password for most corporate systems and, probably, personal on-line services.
- Write down passwords, PINs and other security codes on paper, in text files and email messages.
- Click on links and view attachments they receive through email and on-line social networks.
- Disable security software if they believe it slows them down.
- Don’t read security policies or, if they read them, don’t remember what was in them.
These are inconvenient truths that, if acknowledge by organizations as being common, can be incorporated into enterprise risk management discussions. Doing this will have strong implications for how IT security technologies and practices are configured and deployed.
This is a very interesting post from Lenny Zeltser. It's not only about things that we keep trying to avoid when they are just plain representation of the user (and business) needs. These inconvenient truths should be used as basic assumptions for any security strategy. By doing it you'll be building security that is not based on weak assumed controls, and will have more chance to succeed when they fail.
So, try this as an exercise: Assume all the items listed by Lenny as truth for your environment. Think about how efficient your remaining controls will be against the most common threats; and, finally, Identify what you could do to compensate any weaknesses you might have found.
Keep that list. That will probably be more valuable than what you can get from a lot of complex and expensive "strategy exercises" out there :-)