« Apple: Less Hype, Better Products | Main | CIOs: Stop Ignoring Social Media »

The IT Security Balancing Act Wed 17 Feb 10

Ultimately, IT is responsible for security breaches even if it's not at fault.


Late last year, Plano, Texas-based Hillary Machinery lost $800,000 to cyber theft when attackers stole the money in a series of transfers from Hillary's PlainsCapital bank account. PlainsCapital was subsequently able to recover about $600,000.

As you might expect, Hillary demanded that PlainsCapital repay the unrecovered funds, saying PlainsCapital didn't provide adequate security measures. Up to this point, there is nothing especially noteworthy about this situation. Sad to say, but cyber theft just isn't all that unusual anymore.

However, what happened next has gotten a lot of attention beyond just west Texas.  PlainsCapital is suing Hillary Machinery, the victim!

In what appears to be a pre-emptive move, PlainsCapital is asking the court to certify that the bank's security measures are reasonable. In effect, the bank is saying that it is Hillary Machinery's fault the money was stolen.

PlainsCapital contends that it's not at fault since the transactions were initiated by someone with valid Internet banking credentials belonging to Hillary Machinery. Hillary Machinery argues that there are a number of peculiarities about the transactions that should have caused PlainsCapital to examine them more closely.

This situation typifies the classic security dilemma. Everyone wants three things from their security system:

  • Strong security. Everyone wants the highest level of security
  • Low cost. It can't cost a lot to build or maintain
  • Ease of use. It can't be complicated or people won't use it

Security experts will tell you that you can only get two of these. You get to pick which two you want, but one has to be let go. Reality is never absolute. We end up making compromises trying to get a reasonable balance and sometimes in the end we lose all three.

This conflict was described well in a comment by Yaron Levi to an article about another bank related cybertheft.  Levi wrote:

"We have a solution that can totally protect the bank customers. Guess what, I spoke with few banks' and offered them the solution. They all agreed it will solve the problem but claim that unless the law will mandate it they will not spend money on better security.

I asked one of them if the banks' customers will be willing to pay something small (say $5 per month) for better security. The guy laughed at my face and said his customers already complain that using a password and security questions is too complex."

In this example, low cost and ease of use were judged more important than security. Corporate IT faces this dilemma every day. Unfortunately we don't have the option to sue our customers. Even when a non-IT employee clearly is to blame for a security breach, IT is still responsible. It's our job to maintain a secure environment and to keep it low cost and easy to use. A delicate balancing act, indeed.

Our fellow employees are the greatest threat to security, and at the same time they can be its most important element. Technology can improve security, lower the cost and make it easier to use, but it is all for naught if people don't actively participate in maintaining a secure environment. Technology alone will not work.

I believe Dan Morill stated it best: "We need to remind ourselves again and again that information security is not a technology issue – it’s a people issue. We are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of business. This includes the employees that deliver our services and the customers that take advantage of them, as well as the senior executives and board room directors that grant us our budgets."

Although this seems like a no-win situation, there are a number of things we can do.

Raise security awareness - Good security is like the electrical grid, no one thinks much about it until it fails. While you don't want to create hysteria, you might want to make people aware that there are real security threats. Does anyone outside of IT know how many intrusion attempts you've blocked or how many virus threats you've countered? Maybe they should.

Knowing this may make people a little more rigorous in following security provisions, and management may be willing to spend a little more on security if they know what it is doing for them.

Avoid the Chicken Little syndrome - There are new security threats every day. It's our job to assess them and act accordingly. Part of this is knowing when to raise the alarm and when you shouldn't. "The sky is falling" didn't turn out well for Chicken Little, and likewise a constant security crisis attitude eventually will dull people's sensitivity to security.

Match the security to the risk - One way to get people more accepting of stronger but more difficult to use security provisions is to only use them when truly warranted. Save the tight security provisions for the really important stuff. Treating everything the same tends to lower the overall significance. Does access to the stock records in the parts warehouse really need the same tight security as the payroll records?

Alternatively, you might consider a single sign-on system that, when coupled with behind the scenes security profiles, lets management control access with a minimum amount of inconvenience.

In the end you have to get people involved and actively manage security because even though you may not be to blame, you are the one responsible.

"Old Vault Door" photo by Daniel Leininger / CC BY 2.0

This article is also posted on Forbes.com.  Feel free to join in the discussion either on this site or at Forbes.com

If this topic was of interest, you might also like these:

            Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed


TrackBack URL for this entry:

Listed below are links to weblogs that reference The IT Security Balancing Act:

» B2B Cyber Security Lawsuit | Guerrilla Publicity Dogs Bank Online from Electronic Data Records Law | How to Win E-Discovery
Forensics Disagreement | Web PR Levels Court-of-Law Playing Field The web changes how public disputes are contested. Inexpensive web 2.0 publicity disrupts the balance of power. After computer thieves stole $200,000 from the bank account of Hillary Mac... [Read More]



tell_a_friend Tell a Friend About Mike's Blog

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

My photos on
Mike Schaffner's items Go to Mike Schaffner's photostream

Free Subscriptions
  Free RSS Subscription

Free RSS Subscription

For An Email Of New Articles
Enter your email address:

Read On Your Mobile Device


Join the Conversation
Subscribe to Comments
  Free RSS Subscription

For New Comments Email
Enter your email address:

This is the personal blog of Michael W. Schaffner. The opinions expressed in this blog are soley mine and those of commenters. You should not infer that these opinions are the opinion of or have been endorsed by any current or former employer.

Please review the Privacy Policy.   I do love comments and trackbacks but I do reserve the right to remove any that don't comply with the Comments and Trackback Policy.  Rather than clutter up the front page with badges and statistics that are of little interest to anyone other than me I thought it would be best to establish a separate page for statistics and rankings.

Copyright © 2006, 2007, 2008, 2009 Michael W. Schaffner       You may copy or quote sections of this blog if you provide an attribution consisting of a reference to the Michael Schaffner and ''Beyond Blinking Lights and Acronyms" along with a hyperlink (if a web reference) to the blog posting.     

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.