Getting at the Root of Security Problems
IT is getting a wake-up call. Security problems are running IT managers ragged. They're wasting time and loads of money. But our Datamation columnist says security problems are merely the symptom. The root of the problem runs much deeper.
''Engineering doesn't understand operations.''
''They want more features before the bugs are worked out.''
''Quality costs too much.''
''Why can't we compete?'' ''Why are our jobs moving overseas?''
What are we talking about -- manufacturing of the 1980s or information technology today?
In the same way that the manufacturing world had a wake-up call from Japan, China and Korea, the US IT industry is having one today. Quality and cost concerns are now causing global shifts in the way information technology is organized. At the same time, IT is being challenged with regulatory compliance. All of this together creates a challenging environment.
One thing to note is that in the same way that manufacturing tried to inspect quality into products, IT is trying to inspect quality into systems and services. You can see it in regards to IT security spending.
For years and years now, security practitioners have known that there is a direct relationship between errors and security problems. Simply put, the more errors in a system, the greater the probability of a security problem.
Yet, even though this is well known, nobody addresses the root problem.
Instead, what do they do? They go out and buy expensive hardware and software, retain consultants and hire staff all to try and compensate for poor initial quality.
There is something fundamentally wrong with this.
Quality, as well evidenced by the manufacturing industry, must be built into the products. This is done by addressing process issues. If manufacturing followed IT's approach, costs would be through the roof, the trash bins would be full and customers would be disappointed. Instead of spending more on technology and after-the-fact add-ons that mainly focus on symptoms, IT must change its focus and look at its core processes.
In 2003, a CompTIA study found that 63 percent of security breaches were attributable to human factors. In this year's study that number rose to 84 percent despite heightened awareness.
Today's IT security model is broken and this is not a technology issue.
Yes, there are clearly offensive threats that must be mitigated by firewalls, antivirus applications, and so on, but this does not diminish the fact that the processes are in dire need of attention. Not only must IT's processes mature and benefit security, but they must clearly add value to the entire IT group and overall parent organizations as well.
Quality is not achieved in a vacuum.
Starting to Fix the Problem
So what do we do first to address quality?
Stop. Do not run out to hire consultants and buy software to improve quality. Instead, focus on your processes and ask three questions.
Are the right processes formally documented? Is there proof that people are actually following the documented processes? Are you focusing on continuous improvement through benchmarking and audits?
These three questions are basic to almost any form of quality initiative. You have to reduce variations in order to identify the key aspects that need improving. If each person builds a server their own way and one person's server has higher availability, then it takes an inordinate amount of time to try and decipher what the beneficial differences are.
Take your best people, not the one sitting on the bench because he's worthless, and document the best practices in the organization. Benchmark the processes and seek further guidance from the Infrastructure Technology Infrastructure Library (ITIL), the ITPI's Visible Ops methodology, and the Microsoft Operations Framework (MOF).
Now it's the Vendors' Turn
It is not enough to focus quality improvement efforts solely in-house. Today, a large percentage of most firms' software is either outsourced or purchased off-the-shelf. Vendors must be made to understand that quality is job one. Is it any wonder that car companies mandate quality programs in their suppliers and even provide training and auditing programs to that end?
At the minimum, consider four simple steps.
Establish service levels. Define what is, and is not, acceptable in clear concise language. Then establish metrics. Performance studies must be objective. Next, regularly review performance and provide feedback to the vendors. And finally, mandate continuous improvement by setting of expectations.
Why must IT accept substandard quality from their vendors?
The answer is that many companies simply do not understand the causal relationship between poor IT products, security expenditures and total costs. Manufacturers wouldn't stand to shoulder the costs of poor quality and neither should IT.
Poor security is the symptom of poor processes and can not be effectively remedied by pouring money into technology and staff. The true problem that must be addressed lies with processes that must be scrutinized, formalized and continuously improved, not just within IT, but within IT's entire supply chain as well.
To improve security and overall operations, IT must go after the root cause and not just the symptom.