I’ve worked at enough companies to see a general trend that I’m sure you’ve all seen before. Someone is hired into the security field from a purely business background, and asked to manage an estate securely, the first thing that they always turn to is policy. Walking around saying things like, we must have a policy for this and that, oh and that, and they must be compliant to PCI DSS, ISOxxxxx, unknown standard X, etc, etc.
In some of the penetration tests that I’ve done in the past, I’ve literrally walked into companies and asked about their security and have been told with huge smiles, that their security is amazing, as they have a security policy. My first question is usually, how do you make sure that it’s being enforced, which usually gets me a look that says “No-one ever told us that we had to inforce it, we just have to have one to be secure!”
I realise that it’s a lot easier in larger organisations than it is in smaller ones, as they usually get audited, and the auditors tell them what needs fixing, but for the smaller businesses, it’s not that easy. Unfortunately when something goes wrong with the smaller companies security it doesn’t always get noticed though.
I remember reading an article not too long ago that mentioned that as penetration testers we have to change our game, as if we cannot communicate to the relevant people at the top what the problem is, then we are the ones to blame. They are hired for their business accumen, and we tend to get hired for our technical skills, so we should be the ones to learn the new skills here. I’m not talking about social engineering, although there is a time and a place for that, but just better communication methods. Learn to speak the language of the business, and learn to get the policies tweaked enough to secure the estate.
To secure a company, you need more than just policy, you technical security measures, you need to train employees, and keep training them, you need people who keep up to date with the latest exploits, and people who question others reasoning at times, and most importantly you all need to be able to work together and get your point accross. Take the time out to get to know the people that you work with, what they enjoy, how they enjoy being presented with things, and the things that they despise, it pays off in the end.
If you can communicate at a better level, you stand a better chance of getting the logical security sorted out, and being more than just a policy based security team.