We don’t like exceptions in security
08:00 Monday, 18 October 2021
UK Cyber Security Council
There are six simple words which, when uttered, are guaranteed to strike dread into a CISO: “How do I request an exemption?”.
Cyber security is all about establishing the nature of the security-related risks we face and implementing controls (generally policies and procedures) to mitigate them. These controls only work if people abide by them – specifically if everybody abides by them – because, by definition, if a control isn’t used correctly the risk hasn’t been properly mitigated.
Now, security controls often have a downside with regard to convenience. That is, working securely may well need more time, effort and money than working less securely. But controls don’t remove risks, they mitigate them – that is, they reduce them to a level that the business considers acceptable. Part of the process of getting a control approved is to consider – then explain to the approvers – the trade-off between the upside and the downside, in order to arrive at an acceptable compromise.
Not only this, but controls are often not a one-size-fits-all concept. Perhaps, for instance, a “second pair of eyes” check on supplier payments is only required over £500, or a full security assessment is only required where a new supplier you’re signing up with will have access to the personal data for which we’re the Data Controller.
In short, then, controls are there for a reason; and decent controls have been thought through and are proportionate.
Yet from time to time the question arises from a team which wants to sidestep the control: “How do I request an exemption?”. And the correct answer is generally: you can’t. And that’s not because we, the security team, want to be unduly mean and single-minded. It’s because much of the time the unspoken element of what’s being said is that the requester has hit a snag, or has planned poorly, and has reached the stage where the only way to deliver on time and on budget is to take shortcuts. They have a problem, and they want to dig themselves out of a hole by impacting the business’s security.
How many of us have been begged to allow a new system to go live before all the required security testing is done? “Can’t we finish it post-go-live”, comes the cry, but of course once a system is live the genie is out of the bottle, their motivation to test just becomes microscopic, and the CISO is stuck with an untested system that the business won’t let him/her turn off because it would impact customers.
The other issue with allowing exceptions is that it’s a slippery slope. Once you say “yes” a few times, you’ll hear more and more “Oh, you let Finance do it last month, why not us?”.
And of course, the biggest deal is that it’s the exceptions that bite hardest. The malware that hit the business via the sales manager’s laptop whose USB blocking you disabled so he could get that important contract over the line. The dormant user ID that got hacked because you allowed it to remain enabled then forgot about it. The vulnerability that was exploited because you relented and agreed that a team could use an old version of an operating system for application compatibility reasons.
Like we said, controls exist for a reason. And the correct response when asked for an exception should include the words “body”, “dead”, “my” and “over”.