Requests for exception to cyber security policies are completely normal. They seem to particularly occur while
users or developers are under schedule pressure.
“This service account may have access to the domain controller but rotating it will break other systems”
“We don’t have time to write stored procedures”
“Those partners won’t want to multifactor and we need to get this done now”
The ensuing request for exception isn’t a trap. Most are
well intentioned and legitimate. The wise cyber security practitioner knows that
there is always a rationale behind pushback. Something underlying the request
that the user understands, but often remains unsaid.
The wise
security practitioner also knows their job is to discern
what the users is thinking, but not saying, in their pushback.
One sound approach is to clearly state the risk and ask further questions to categorize the rerquests and their responses until you've landed in one of the following four buckets:
One sound approach is to clearly state the risk and ask further questions to categorize the rerquests and their responses until you've landed in one of the following four buckets:
- The user may simply not have understood the risk
- The user may understand the risk but believes that their approach outweighs some negative impact to revenue or stability
- The user may understand the risk but believes that their approach outweighs having to reset delivery expectations
- The user may understand the risk but just does not want to do the work
Each of these rationales represents a purposeful decision. A
purposeful decision that is one of the thousands of small daily decisions about
security that, in the aggregate, dynamically defines how secure your
organization will be.
Each rationale requires a different conversation.
One conversation might justify an exception. Two of the four might expose a ruse having little to do with security.
One conversation might justify an exception. Two of the four might expose a ruse having little to do with security.
Key question to ask yourself when faced with an exception request: "which of the four conversations are we actually having?"
Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1
SEE ALSO
No comments:
Post a Comment