Any information security professional will tell you that security countermeasures are comprised of people, processes and technology. The only problem is that good security depends on stable people, processes and technology.
A stable organization undergoing rapid and violent change is an oxymoron.
People countermeasures are a mix of security awareness training, background checks (at a depth proportional to job exposure to sensitive assets), and deterrence. Andy Grove once said “Despite modern management theory regarding openness – a little fear in the workplace is not a bad thing”. When a lot of employees are RIF‘d – there is a lot of anger and people who don’t identify with their employer; the security awareness training vaporizes and fear and revenge take over. Some of the security people will be the first to go, replaced by contractors who may not care one way or the other or worse – be tempted by opportunities offered by the chaos.
Processes need to be implemented in a way that ensures confidentiality, integrity and availability of customer data. A simplistic example is a process that allows a customer service representative to read off a full credit card number to a customer. That’s a vulnerability that can be exploited by an attacker. In a merger or acquisition – business processes change and if one believes in Murphy’s law – never for the best. A rule of thumb I like to use is that many security vulnerabilities lie in the cracks of systems and organizational integration – in an M&A – those cracks can look like the Grand Canyon.
Technology countermeasures are never a panacea and must always be measured for cost-effectiveness. Today’s defense in depth strategy is to deploy multiple tools at the network perimeter and endpoint. Firewalls, IPS and malicious content filtering at the perimeter and removable device control and personal firewalls at the endpoints,
Although defense-depth is a sound strategy – it can develop three vulnerabilities in times of rapid organizational change. One – most defense in depth information security is focussed on external threats while in an organization undergoing rapid change – the problem is internal vulnerabilities. Second – defense-in-depth means increased complexity which can result in more bugs, more configuration faults and … less security instead of more security. Three – when the security and executive staff is cut, security monitoring and surveillance is suffers – since there are less (or no) eyeballs to look at the logs and security incident monitoring systems.
Claudiu Popa, president and chief security officer of data security vendor Informatica Corp. recently told Robert Westervelt in an interview on searchsecurity.com that “mergers and acquisitions force IT security pros to be more aware of internal threats”.
No argument – until the closing paragraph which had some dangerous best-practice boilerplate:
Adequate security is difficult to implement, but once an organization reaches the right level of maturity, security measures will not only save time and money, but also contribute to improved credibility and efficiency.
Correct- but for an organization firing 30% of it’s workforce over night – words like maturity, credibility and efficiency go out the door with the employees.