By Alex Woodie
November 26, 2007
There's a serious problem with the state of security in the IT industry,
according to Pat Botz, former i5/OS security architect with IBM. The
problem isn't a lack of tools and technologies for implementing
security. Instead, the root of the problem stems from a lack of
leadership from business people, who have given too much responsibility
to the technical experts. Botz recently left IBM to work on this problem
with his new consulting company Group 8 Security, which formally
launches next week.
To hear Botz talk about the state of computer security is a little
bewildering. One goes into a conversation expecting the security expert
to talk about the latest encryption standards, strong authentication,
how to survive an audit, and the need for good intrusion detection--the
daily cud of the security racket. But in fact those are the last things
he wants to talk about. What Botz really wants to talk about is what he
sees as the disconnect between the decision makers in the corner offices
and technical pros in the server room, and how a good portion of the
problems in IT security can be traced back to the absence of strong
leadership emanating from the tops of organizations.
It's a little like getting an interview with Joe Montana, the legendary
49'ers quarterback, and instead of hearing how he came to perfect the
two-minute drill that led to so many Super Bowl rings, all he wants to
talk about is the importance of having a good organizational structure,
flowing smoothly from the general manager to the linemen. Of course, the
selection of personnel is a key ingredient in putting together a
successful football team. It isn't as exciting as watching a master
execute the two-minute drill, but without a solid foundation composed of
individuals in positions they are qualified and trained to hold, the
team's chances of success are greatly diminished.
And that's how Botz sees the state of IT security. Instead of having the
general manager making strategic decisions that will lead to the success
or failure of the team, these decisions are being handled at game time
by the players on the field. Because these players--the IT professionals
hired to run the servers and maintain the networks--aren't qualified to
make these decisions, they often end up making the wrong decisions,
thereby decreasing the security of their company's data, increasing the
cost of implementing security, or both.
What's even worse is that the business managers have willingly ceded
this responsibility to their tech-savvy grunts under the misconstrued
assumption that security is a technical issue that they have no business
getting mixed up with, Botz says. "Security isn't primarily a technical
issue. It's a business issue," he says. "Part of the reason, I strongly
believe, for the dismal state of information security across the whole
industry--not just the System i, but the whole industry--is because the
average chief security officer (CSO), the average chief financial
officer (CFO) has assumed that information security in the electronic
age is purely a technical issue."
To use another analogy, companies are putting the cart before the horse.
Instead of defining security policies in plain English, and then
figuring out which technical procedures and processes will allow them to
accomplish the goals of that security policy in the most efficient
matter, companies are forgoing the security policy entirely and jumping
straight into the technical part of setting policies and procedures. (To
take the analogy one step further, many companies have abandoned
security policies entirely--they've gotten rid of the horse--and are
just pushing the cart around by hand.)
Botz explains the problem using System i terminology. "Security isn't
about setting QSecurity to Level 40. Security is about explicitly
stating whether or not people in finance are allowed to access private
employee data in the HR database. And it's not a technical issue--it's
purely a business issue," he says. "If the business people aren't
involved in defining what 'secure' means to that organization, I
guarantee you there's no way to measure that organization as to whether
or not it has properly secured its business assets, because nobody's
defined it. And yet the vast majority of companies are jumping into
information security at the enforcement stage, at the 'set that value
this way stage,'" instead of starting with the security policy.
In case you haven't guessed by now, Botz's goal at Group 8 Security will
be to bridge the gap between business people and technical people when
it comes to managing security. The company aims to do this by working
with CSO and IT directors to define their security policies. Once the
policy is in place, Group 8 consultants will work with the folks in the
customer's IT department to come up with a set of procedures and
processes that implement that security policy in the most effective
manner possible. The company will also work to implement those
procedures and set up a way to monitor their effectiveness over time,
but these will often be separate contracts, Botz says.
Botz is adamant about respecting the balance between the level of
security an organization attains and the cost it takes to get there. "We
have this saying that security is a function of risk and cost," he says.
"You cannot consider security merely by looking only at risk. You must
look at cost. It's the only way you can manage security. And we want to
help companies make valid, rational business decisions about security
that put them in the best possible position for that particular
Group 8 Security will target mainly small and mid-size businesses that
lack the resources and expertise to implement information security in
the proper manner, including setting a policy, deducing procedures,
executing the plan, and monitoring it from long-term effectiveness.
Bigger companies typically have a more solid grasp on these IT security
fundamentals, Botz says. However, Group 8 will take larger corporations
as clients for point projects, such as implementing single sign-on.
Group 8 Security, which is a double-play on the Group 7 security level
in the hit movie "Tron" and the group of eight industrialized nations
that make up the G8, will function as a distributed company. Its
headquarters will be in Reno, Nevada, but its consultants will be
located around the country. Botz remains in Rochester, Minnesota, where
he worked in the System i division for a number of years. The company is
currently ramping up. It has five employees, is looking to hire people
skilled in the business side of IT security, and already has some
customers lined up.
Botz says six months into his recent stint at IBM Lab Services--his last
assignment at Big Blue--helped him to realize the existence of a huge
disconnect between business objectives and security policies. "I would
get phone calls mostly from technical people and they would essentially
say, 'I have a requirement for single sign on.' And that always struck
me as odd, because single sign on is the solution to a requirement, but
it's not a requirement," he says. "It's one way to address the
requirement, but the real requirement to that is 'I need to
significantly reduce the cost of managing identification and
But in most cases, the real requirement can't be reverse-engineered from
the series of processes and procedures that IT people are creating as
pseudo-security policies in the absence of true security polices defined
by the dollars and cents guys. "You read SOX, and nowhere does it say
anything about QSecurity or whether or not QESECOFR should be allowed to
log into more than one terminal at a time," Botz says. "You just can't
possibly go backwards from looking at a configuration and determine what
the policies were you were trying to enforce."
Where many IT folks moan about SOX's lack of clarity and the resulting
tsunami of complexity, Botz sees illuminated flexibility and government
rightfully keepings its hands out of telling a System i shop exactly
which bits should be flipped, and when. "I would argue that it's nowhere
near as difficult or complicated as it appears to be," he says. "The
reason why it appears too complicated is, if you don't have a
well-defined objective, how the hell are you ever going to be measure
whether or not you've gotten there?"
In many ways, Group 8 Security's goal is education, and convincing
customers that security is not the black art that it appears to be to
business folks. "They don't have to be technical experts in any way to
play their proper role. They should not be telling technology people
which firewall to use, or even what functions it should have. But they
should be making clear statements, they should be driving the process,"
Botz says. "Instead, because the business leadership isn't playing its
role, we have technical people, in effect, making business policy
decision, and trying to enforce them."
In the end, Group 8 Security is attempting to do something no other
security consulting company has tried to do: Educate a wide swath of the
market to the true goals of information security, thereby empowering
executives to assume their proper place in the line and vanquishing the
myths of security as a geeky black art forever. It's not quite "Rent a
CSO," but it's pretty close
"The modest objective of Group 8 is to change the way the entire
industry manages security," Botz says. "And once we get done with that,
we're going to attack world hunger. We thought we'd go after the
low-hanging fruit first."
Copyright 1996-2007 Guild Companies, Inc. All Rights Reserved.
Visit InfoSec News