Building New Security on the Old Foundation
The IT press and social media make it clear that our world is getting riskier every day, making cyber security the new flavor of the month. And we’re learning new terms every day, like ransomware for example, where thoughts of paying a ransom in order to grant access to my own systems are downright creepy!
While it’s true that ransomware, and other new worries, are specialities that the 21st century has invented for us – to an extent the new threats are part of a security timeline that has brought us to where we are now and will help us go forward.
Keeping Our Cars Safe
Let’s take something that is both an analogy and a statement of the very latest security concerns – having your car’s software hacked. This can leave you with an unusable car, or worse, with one that performs dangerously, or even one whose navigation system takes you where someone else wants you to go. And with driverless cars arriving, the consequences will get worse soon.
One of the reasons cyber security weaknesses can be exploited is that ordinary folks – customers and users of the services and products that incorporate the latest software – do not sufficiently understand their role in keeping themselves safe. The modern cyber security specialists bemoan the use of passwords like ‘password’ or ‘12345’. But security has always been resisted by users; it isn’t just modern threats to cars that have been ignored.
The first cars did not lock, and starting one required just the strength to turn the handle. As theft became worthwhile, we started to see door locks, ignition locks, immobilizers, alarm systems, and more. Each of these was poorly used to begin with – people simply couldn’t get used to locking the car, or were reluctant to use the immobilizer because they forgot how to turn it off again, and so on. Even today, my passive intruder alert system is mostly turned off, lest the dog sets it off yet again! And safety devices like seat belts have become enforced by our technology – through alarms and immobilization if we don’t do the sensible thing and buckle up.
Learning to Take the New Precautions
Like with our cars, our approach to IT service management (ITSM) also needs to progress; we need to develop a deeper understanding of the risks, and foster revised behaviour. Sometimes just thinking about how you would cope if your car was stolen, or hacked, pushes you to modify your behaviour. But those unlucky enough to have had their car stolen are usually the most scrupulous observers of security practices thereafter. Usually it takes time to catch on, even to the belief that the risk is real.
Risk management is not a new idea, solely created because of our IT developments. Risk is, and always has been, at the very heart of all management – and a key aspect of just about all everyday planning too. It is effectively about balancing what might be inconvenient or damaging against the cost and effort of preventing it. In the car example, do we risk the car being stolen or pay extra for sophisticated locks and alarms?
Build Your Future on the Past
We have grasped this balance – of cost and inconvenience vs potential damage that might happen – in ITSM for many years, through procedures and behaviours built into our incident, problem, change, availability, capacity, contingency, and SLM processes. Good ITSM practice has always been an essential foundation for good risk management.
Those organizations that have understood the risk and security implications of ITSM are in a good position now to accept and incorporate the new risks and concerns that technological development has brought us. If the new ideas come as an unexpected concern, and it isn’t clear how or where in your organization they need to be addressed, then the likelihood is that you need to revisit and strengthen the core ITSM processes like incident, problem, and change.
If you have built the hooks for strong incident and problem processes, it should be clear how you increase security awareness and record, analyze, and take action against the new concerns. If you haven’t, then that is the place to start, with understanding and setting up better incident management, problem management, and other core ITSM processes.
So, of course we must worry about the trendy new dangers and risks of the 21st century and make sure our people have the knowledge and tools to detect them if they happen. But we will discover and understand them – and be better equipped to deal with them – if we build on our existing procedures for detecting and resolving incidents and problems. And then we’ll understand the risks that proposed changes present us with.
The bottom line is: if your basic processes are not robust, simply focusing on the new risks will not adequately protect your organization in our new dangerous age. Like I said before, good robust incident and problem processes will discover new security threats, and create knowledge about these risks.
Which new risks have you found lately?
Posted by Joe the IT Guy