It was the best of security, it was the worst of security. This story is not about Citibank, nor London or Paris for that matter, but two anonymous regional financial institutions that characterize an interesting aspect of security. Their IT footprints are very similar in terms of staffing capabilities, budget technology deployed, etc., yet one of them runs a remarkably secure IT environment and the other exists in the realm of insecurity.
Here, we take the opportunity to compare and contrast them to try and learn how one can be so secure with a similar set of circumstances. First, the similarities: Both have liberal IT budgets and don’t have significant constraints acquiring new technology for their data centers. Both run their own data centers internally. Both have open slots to bring in new IT staff and have a difficult time finding good talent to bring into their IT departments. Both IT departments are similar sized with about 50 people each.
What makes this so interesting is that in looking at these two IT departments, they had more similarities than differences, which is what makes the contrasts so interesting. Now, while there is a tremendous complexity in IT and no two environments can be equal (and small differences can have a big impact on security risk) it is still educational to isolate some key differences. So what was different?
After reviewing this question with some of our security team, the only significant delta was the culture of the two organizations.
The secure shop was very structured – lets call them London Bank. The reporting relationships were fairly static and IT projects were carried out in an orderly fashion. Yet in the insecure shop, lets call them Paris Bank, gear was acquired with little process to map requirements to necessary features and the initial deployments often seemed to forget about the initial needs and favor the whiz-bang extra features. Very little documentation was created for new systems and there was essentially no process for initial deployments, nor the ongoing maintenance or monitoring. There was no peer review or double checking for critical deployments and very little accountability for the quality of work. Certain individuals roamed around with a lot of critical knowledge in their heads about one-off custom configuration settings and other tid-bits about mission critical infrastructure.
So if culture is important, then we need to ask – where does culture come from?
Well, as far as we can tell, it starts from the top. We have noticed that in secure organizations, managers have both an awareness of security and a commitment to the often tedious process of secure operations. Aware and committed managers seem to recruit IT leads that share these values, who in turn bring in like-minded techies. Furthermore, it often seems the case, that all of these people are bound by a consistent vision documented in their security policies. These policies, by the way, had been created in a thoughtful way, where the importance and value of these policies were well understood… from the management on down.