02 Feb The Domino Effect of Security Controls
As security professionals, we often talk about taking a layered approach to security when describing the controls we implement to protect information. We understand the need to not have a single point of failure when implementing protection. If a system is processing critical information, we protect it through access rights management, network access management, backups, encryption – all the works. We do this so that if one control fails, the asset is protected by another control, creating resiliency and increased protection.
The understanding of a layered approach, or as many refer to it a defense in depth approach, is one known to most security professionals. It is not one however, which is popular amongst others working outside of the profession i.e. most employees in an organisation. This lack of awareness tends to create a resistance towards mitigative efforts, as they are usually seen in silo and hence do not seem as useful as they are intended to be.
When controls are introduced with no proper context, their usefulness is often questioned. It often seems as if the risk reduction is not worth the “disruption” that the new control introduces. As with any type of change, people question why it is happening and often want to understand the reason behind the change, especially if this is reducing their efficiency in delivering tasks or making their work harder or less effective. The initial reaction to any change that comes with a control is usually resistance and it is that much harder for a change to be successful, if the people impacted do not understand it.
What I often see happening with new security controls, taken as part of a defense in depth strategy, is that the controls when seen in silo seem ineffective. The new access control badges that people have to remember to wear to get into the building, the newly encrypted hard disk that may make their laptop slower , or the fact that they have to input a password to unlock their laptop. Why do we need access control? Why do our laptops need to be encrypted? Do I really need another password to log-into my laptop? Does my cloud drive need two-factor-authentication? If seen together, each control is part of a framework setup to protect against potential unauthorised access that could lead to theft of laptops. That way if the access control fails and the laptop is stolen, the password and encryption can still protect the data, and the 2FA means data can’t be accessed. In silo, they might seem trivial, put together they drastically reduce risks around theft of information on a laptop.
When explained together, controls make sense, but this is usually not the way anyone thinks when initially reacting to a change. Unfortunately when security professionals, governing such changes, fail to explain the why behind the change it could lead to resistance in the form of control failure. Access control could be bypassed by tailgating, passwords can easily be guessed if they’re written down on a post-it stuck to a device. With a number of controls relying heavily on the “user”, resistance in the form of control bypassing, could lead to a domino effect of control failures.
This is why, as with any other organisational changes it is important to create awareness on the positive outcome of a new control. Understanding the need for the change, within a greater business context, leads to people embracing the change. Whilst they might not like the fact that it reduces their efficiency, or makes it that much harder for their work to be effective, at least they know why the change is so important to the organisation and why in the grand scheme of things it is there to protect them and their work. When knowing the why, most people are less inclined to put in the effort to bypass a control.
Whilst a defense in depth approach will help when a control fails, this does not mean that it is enough to protect against user resistance. A layered approach is more likely to work if user awareness, is seen as a control in itself. The understanding of our stakeholders should be part of the rollout plan of any new control framework, and should be treated as a critical step towards successful implementation of controls. Including and prioritising continuous user awareness as an integral part of a controls framework, drastically reduces the likelihood of a domino effect of control failures in a layered approach to security.
The above post is a reflection of my personal opinion and in no way reflects nor is related to my employment.