I’ve been thinking about a concept lately that came up in a discussion around security’s “Hierarchy of Needs”. Most people would be familiar with the basic concept from Maslow’s Hierarchy of Needs – the idea being that all humans have a set of needs, and the higher level needs can never be truly satisfied until the more basic needs are. As an example, fulfilment of friendship or work satisfaction needs are unlikely to be important if the more basic requirements of life such as being fed/watered/sheltered are not being met.
(I’m sure I’m doing Maslow a complete disservice – but you get the idea).
So – what is the parallel for security?
Most security professionals these days will tell you that the key to security is working with the business to understand and quantify risk to allow the business to make its own informed decisions.
I think that’s true – and yet in some ways the average security professional doesn’t actually live by it. (Risk management people do – but I generally view security people as having (and needing) a different philosophy to risk people.) The average security person in a large organisation will tell you that you have to patch and you have to run anti-virus. If the business is not funding these things then we’ll generally trot out the line “it’s a business decision” – but if we are honest with ourselves we don’t believe it.
In fact in any large organisation (and all of this really holds true in large organisations – the argument breaks down for smaller ones as I think it actually does turn into a risk equation) there are certain things you have to do. And I think that comes from the fact that as an organisation grows in size, the probability of a bad event happening from lack of basic security approaches unity. And given a security event coming from lack of basic security generally means the organisation stops functioning, then almost by definition the risk is at an unacceptable level.
So what does this mean? I think security people need to get better at separating out what are basic controls from what are things we are actually comfortable letting the business accept as a risk.
Note that word comfortable – I’m not saying we should dictate to the business – but that in our own heads we need to separate what we are comfortable with from what we are not. That still sounds perilously close to telling the organisation what it needs to do, but I think that as a security manager, if you aren’t doing that for basic stuff in a large organisation then fundamentally you are not doing your job.
It shouldn’t be about “if the CEO says we don’t need to patch then it’s OK” it should be about the security person going to the CEO and saying “we just have to do this – anything less is a failure in our duty of care to the company”.
And to be honest – I’m not sure I’d want to work in a company that didn’t want to patch. Or at least manage the risk somehow – I’d be OK with any control that manages the vulnerability issue – as long as it’s being managed.
So how does this match up to the hierarchy of need? Well I’d argue that if you are running security, there is not a lot of point talking about “Business Risk Management” if you do not have a handle on patching (using our example above).
Do the basic requirements have to be perfectly under control? No – but if the aren’t and you are spending all of your time building the perfect risk management framework then I think you are getting your focus wrong.
So in terms of the hierarchy of need I’d picture something like:
One other thing to note is that what constitutes a basic security need (or in fact anything in any of the layers) will change from organisation to organisation. That’s where the risk analysis comes back into it’s own. Some things will be deemed too high risk to compromise on. Others can be managed in consultation with business owners. An interesting Corollary
Looking at the three levels they give an idea of where security is a “value add” to the organisation. The most basic security needs are your “ticket to play” (and should be enshrined in policy). The next level is the sound security management that the organisation feels it needs to do.
But the top level is where security can really value add. By helping the business accept risk in potentially competitive areas, security can give the organisation an advantage. A security team that is too strict can cause a lot of damage in this area by holding an organisation back.