TSQL Tuesday #63 – Managing the Managers Of Security

#tsql2sday63

This month’s T-SQL Tuesday is hosted by Kenneth Fisher (blog | twitter) and the topic is security. Security is a topic that I’m pretty serious about and have decided to join in the conversation.

Security is one of those subjects that most DBAs have to deal with regardless of specialty. So, as something we all have to work with at some point or another what are some tips you’d like to share? What’s the best security design? You’ve picked up a legacy system and the security is awful, how do you fix it? Any great tools out there you’d like to share? Hate it or love it I’m betting we all have something to say.

About 11 years ago, I had the opportunity to work with Microsoft Philippines to deliver their security workshops to partners and customers. As I was discussing the 10 Immutable Laws of Security, one of the trainees stood up, picked up a call and started talking on his phone. The entire class could hear him as he was talking on the phone, probably because the other person on the line could barely hear him and because the walls of the training room were not properly insulated to loud sounds. As I was explaining Law #5, every one on the class heard how he loudly spelled out his credentials – both login and password – on the phone. That got the whole room laughing as he got back to his seat. To which, I responded, “You might want to call your buddy back and tell him to change the credentials on that server.” Unfortunately, even after more than a decade, some things have not changed. Need proof? Just check out this Twitter account. Or maybe see a visualization of the world’s largest security breaches.

Security is only as strong as the weakest link.

If you look at the  10 Immutable Laws of Security, you’ll notice that the first seven laws have something to do with the individual’s responsibility towards a computing system. That individual could either be the end user interacting with the system or the administrator managing it. Take away the human factor and we decrease the possibilities of security incidents (it also takes away the real value computing systems offer to people using it.) Unfortunately, organizations spend more on the technology solutions in improving security systems without taking into account Law #10technology is not a panacea. Since humans are the main cause of security issues, only humans can provide the means to addressing them. Maybe it’s time for organizations and individuals to start investing on the human aspect of security to make sure its not the weakest link.

Education and Awareness

We need to constantly educate users and administrators of the impacts and risks of security so they don’t end up being like the guy who was shouting out his password loud enough for every one to hear. As I constantly tell IT professionals, “Security is a state of mind.” It has got to become a lifestyle for it to become second nature.  And since we are all on different levels of learning and experience, systems and processes have to be put in place to constantly educate everyone within the organization. This could come as quarterly mandatory newsletters and training programs that everyone has to read and go thru. Because when mindset changes, behaviour changes. You’ll be surprised at how everyone in the organization – end users and IT folks alike – will now be accustomed to security practices both on and off the job. When I first moved up here in Canada, people were laughing at me when they saw me carrying multiple RSA tokens for my bank accounts back in Singapore, when I close the secure entrance at the office before I start walking away and why I would keep my desk free from any clutter. But when we put on a different mindset, behaviour change comes after. They came to realize why I do what I do when they were made aware of the security impacts each one of us has in the entire organization.

Our Role

We all have a part to play to keep every one safe. Start by self-education and being aware. Share what you know with a friend or colleague. Organize brown bag sessions in the office or inform your management about your learnings. As you are increasing awareness, measure the the impacts so you can see the benefits. You have my permission to put on a new title aside from being a DBA, developer, analyst, etc. And let me congratulate you on becoming your organization’s Chief Security Officer.

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *