Page 15 - index
P. 15
The 12 Worst Network Security Practices Part 2 – Say no to the
‘Culture of No’
By: Ofer Or, VP of Products at Tufin
We began this blog series discussing the mistake IT professionals tend to make in falling for a
‘shiny new object,’ aka the latest and greatest technological innovation. This time, we’re honing in
on what Gartner considers to be the second ‘worst practice’ when it comes to network security: the
‘culture of no.’
This type of culture refers to many things, however Gartner is referring to the countless security
departments that “do not enable their end users to quickly embrace new technologies.” This may
seem to contradict the idea around avoiding ‘shiny new objects,’ and that’s because it does – in a
way.
Nothing good ever comes from extremism of any kind, which is why there needs to be a happy
medium between purchasing and adopting every new technology that hits the market, and simply
refusing to evolve with the rest of the IT world. Furthermore, some users reported that they strongly
believe “security departments implement policies and controls without regard for business function.”
A common example of this disregard is when CISOs block employee access to a specific resource
such as a website, server or application without a true understanding of who uses this resource, the
purpose of the resource, or the business implications of blocking this access.
Another instance Gartner cites is forced patches upon employees’ devices while not providing an
option to bypass or delay these updates.
Turns out, security professionals’ for the most part agree with Gartner from this standpoint. In a
recent study by ESG Group, one of the top security challenges (cited by 39% of respondents) is that
“IT initiatives are being adopted without the proper network security oversight or controls in place”.
A similar study by RSA and ISACA found that the #1 skill gap for security professionals is the ability
to understand the business side of things. Basically, security professionals don’t understand how
the business operations work, and therefore make decisions that impact the business without
understanding the full implications.
And yet another comparable statistic for this can be found in a NetworkWorld survey, in which 60%
of respondents stated they don’t feel confident about their readiness to effectively deliver the
applications and services that are their organizations’ top priorities.
Basically, business leaders are making decisions on behalf of the entire organization without a
proper understanding of the security implications, and security leaders are making decisions without
a comprehensive understanding of the potential impact on the business. It’s a classic case of
miscommunication, which can be the key to disaster in an organization.
15 Cyber Warnings E-Magazine – September 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
