Redefining Security the New Goal of Former i5/OS Security Architect
January 9, 2008 Alex Woodie
There’s a serious problem with the state of security in the IT industry, according to Pat Botz, former i5/OS security architect with IBM. The problem isn’t a lack of tools and technologies for implementing security. Instead, the root of the problem stems from a lack of leadership from business people, who have given too much responsibility to the technical experts. Botz recently left IBM to work on this problem with his new consulting company Group8 Security, which formally launches next week.
To hear Botz talk about the state of computer security is a little bewildering. One goes into a conversation expecting the security expert to talk about the latest encryption standards, strong authentication, how to survive an audit, and the need for good intrusion detection–the daily cud of the security racket. But in fact those are the last things he wants to talk about. What Botz really wants to talk about is what he sees as the disconnect between the decision makers in the corner offices and technical pros in the server room, and how a good portion of the problems in IT security can be traced back to the absence of strong leadership emanating from the tops of organizations.
It’s a little like getting an interview with Joe Montana, the legendary 49’ers quarterback, and instead of hearing how he came to perfect the two-minute drill that led to so many Super Bowl rings, all he wants to talk about is the importance of having a good organizational structure, flowing smoothly from the general manager to the linemen. Of course, the selection of personnel is a key ingredient in putting together a successful football team. It isn’t as exciting as watching a master execute the two-minute drill, but without a solid foundation composed of individuals in positions they are qualified and trained to hold, the team’s chances of success are greatly diminished.
And that’s how Botz sees the state of IT security. Instead of having the general manager making strategic decisions that will lead to the success or failure of the team, these decisions are being handled at game time by the players on the field. Because these players–the IT professionals hired to run the servers and maintain the networks–aren’t qualified to make these decisions, they often end up making the wrong decisions, thereby decreasing the security of their company’s data, increasing the cost of implementing security, or both.
What’s even worse is that the business managers have willingly ceded this responsibility to their tech-savvy grunts under the misconstrued assumption that security is a technical issue that they have no business getting mixed up with, Botz says. “Security isn’t primarily a technical issue. It’s a business issue,” he says. “Part of the reason, I strongly believe, for the dismal state of information security across the whole industry–not just the System i, but the whole industry–is because the average chief security officer (CSO), the average chief financial officer (CFO) has assumed that information security in the electronic age is purely a technical issue.”
To use another analogy, companies are putting the cart before the horse. Instead of defining security policies in plain English, and then figuring out which technical procedures and processes will allow them to accomplish the goals of that security policy in the most efficient matter, companies are forgoing the security policy entirely and jumping straight into the technical part of setting policies and procedures. (To take the analogy one step further, many companies have abandoned security policies entirely–they’ve gotten rid of the horse–and are just pushing the cart around by hand.)
Botz explains the problem using System i terminology. “Security isn’t about setting QSecurity to Level 40. Security is about explicitly stating whether or not people in finance are allowed to access private employee data in the HR database. And it’s not a technical issue–it’s purely a business issue,” he says. “If the business people aren’t involved in defining what ‘secure’ means to that organization, I guarantee you there’s no way to measure that organization as to whether or not it has properly secured its business assets, because nobody’s defined it. And yet the vast majority of companies are jumping into information security at the enforcement stage, at the ‘set that value this way stage,'” instead of starting with the security policy.
In case you haven’t guessed by now, Botz’s goal at Group 8 Security will be to bridge the gap between business people and technical people when it comes to managing security. The company aims to do this by working with CSO and IT directors to define their security policies. Once the policy is in place, Group8 consultants will work with the folks in the customer’s IT department to come up with a set of procedures and processes that implement that security policy in the most effective manner possible. The company will also work to implement those procedures and set up a way to monitor their effectiveness over time, but these will often be separate contracts, Botz says.
Botz is adamant about respecting the balance between the level of security an organization attains and the cost it takes to get there. “We have this saying that security is a function of risk and cost,” he says. “You cannot consider security merely by looking only at risk. You must look at cost. It’s the only way you can manage security. And we want to help companies make valid, rational business decisions about security that put them in the best possible position for that particular company.”
Group8 Security will target mainly small and mid-size businesses that lack the resources and expertise to implement information security in the proper manner, including setting a policy, deducing procedures, executing the plan, and monitoring it from long-term effectiveness. Bigger companies typically have a more solid grasp on these IT security fundamentals, Botz says. However, Group8 will take larger corporations as clients for point projects, such as implementing single sign-on.
Group8 Security, which is a double-play on the Group 7 security level in the hit movie “Tron” and the group of eight industrialized nations that make up the G8, will function as a distributed company. Its headquarters will be in Reno, Nevada, but its consultants will be located around the country. Botz remains in Rochester, Minnesota, where he worked in the System i division for a number of years. The company is currently ramping up. It has five employees, is looking to hire people skilled in the business side of IT security, and already has some customers lined up.
Botz says six months into his recent stint at IBM Lab Services–his last assignment at Big Blue–helped him to realize the existence of a huge disconnect between business objectives and security policies. “I would get phone calls mostly from technical people and they would essentially say, ‘I have a requirement for single sign on.’ And that always struck me as odd, because single sign on is the solution to a requirement, but it’s not a requirement,” he says. “It’s one way to address the requirement, but the real requirement to that is ‘I need to significantly reduce the cost of managing identification and authentication.'”
But in most cases, the real requirement can’t be reverse-engineered from the series of processes and procedures that IT people are creating as pseudo-security policies in the absence of true security polices defined by the dollars and cents guys. “You read SOX, and nowhere does it say anything about QSecurity or whether or not QESECOFR should be allowed to log into more than one terminal at a time,” Botz says. “You just can’t possibly go backwards from looking at a configuration and determine what the policies were you were trying to enforce.”
Where many IT folks moan about SOX’s lack of clarity and the resulting tsunami of complexity, Botz sees illuminated flexibility and government rightfully keepings its hands out of telling a System i shop exactly which bits should be flipped, and when. “I would argue that it’s nowhere near as difficult or complicated as it appears to be,” he says. “The reason why it appears too complicated is, if you don’t have a well-defined objective, how the hell are you ever going to be measure whether or not you’ve gotten there?”
In many ways, Group8 Security’s goal is education, and convincing customers that security is not the black art that it appears to be to business folks. “They don’t have to be technical experts in any way to play their proper role. They should not be telling technology people which firewall to use, or even what functions it should have. But they should be making clear statements, they should be driving the process,” Botz says. “Instead, because the business leadership isn’t playing its role, we have technical people, in effect, making business policy decision, and trying to enforce them.”
In the end, Group8 Security is attempting to do something no other security consulting company has tried to do: Educate a wide swath of the market to the true goals of information security, thereby empowering executives to assume their proper place in the line and vanquishing the myths of security as a geeky black art forever. It’s not quite “Rent a CSO,” but it’s pretty close
“The modest objective of Group8 is to change the way the entire industry manages security,” Botz says. “And once we get done with that, we’re going to attack world hunger. We thought we’d go after the low-hanging fruit first.”