Getting support from management

The ultimate success of your Least Privilege Security project will be determined by user acceptance and support from management. A smooth and trouble-free implementation is in the interests of the business, and in the event that you should encounter resistance on the shop floor, it's good to know that you've got full backing from management.

In an economic downturn, you may find it easier to get the attention of management as they seek to cut costs as much as possible, and Least Privilege Security can certainly be considered a cost-cutting initiative, with many other benefits to help the company remain competitive during hard times.

Selling Least Privilege Security

Projects that implement some form of security measure are always a hard sell. This is especially true of Least Privilege Security, as business has little understanding of security beyond antivirus software and firewalls. It's assumed that if antivirus software and a firewall are installed, systems are fully protected against every eventuality. Those who are knowledgeable about IT security are aware of the fact that antivirus software is not completely effective and as threats become more sophisticated, security becomes less effective.

Security is like insurance, much easier to sell as a part of another product. Consumers expect cars to come supplied with seatbelts, and would no doubt prefer that PCs come already protected from common threats. Physical security is easy to see; everyone wants a lock on their front door as it's clear what the consequences of not having one might be. IT security is harder to quantify for those not well versed in computer science. Therefore, it's especially hard to sell as a separate entity. If users can't see a problem, they're not worried about it. The same applies to management; you have to present security as a real business problem that affects the company's bottom line, for it to be taken seriously.

It's best not to sell security directly, but include it as part of another project. The ideal platform for promoting Least Privilege Security is the deployment of a new desktop image, sometimes referred to as desktop refresh.

Note

A desktop refresh is a preconfigured copy of an operating system that's used for deployment to many desktops. Images help reduce costs by cutting out the manual steps required to install an operating system on individual PCs and help IT departments standardize configuration.

Many initiatives can be packaged along with a desktop refresh, improving the return on investment. You will need to demonstrate to management what benefits a desktop refresh will bring and how your project will help meet business needs. Some of the technical benefits of a desktop refresh are:

• Standardized image
• Upgraded operating system or service pack
• Least Privilege Security
• A move towards a properly managed desktop infrastructure that has Group Policy settings and other management technologies
• Changes to users' systems can be explained more easily as part of a desktop refresh
• Updated software
• Improved performance and security by removing unnecessary software and components

Communicating technical details to business managers is not effective as they don't understand the language. When a serious virus outbreak is discussed by management, you will hear statements such as But we've got a firewall, haven't we? This is a clear demonstration of lack of technical understanding and that management doesn't want or need to learn the technical ins and outs of computer networking. Many of us drive cars, but that doesn't mean that we understand or care how the engine works.

Use business language when communicating with management. Only present figures on how many viruses infected the network if specifically requested, or as a last resort. The fact that your network was infected by a hundred viruses in one week is of little interest to most managers. They want to know how this affected the company's bottom line. Having this data to hand is useful, if you're required to back up your claims, but using it as the basis for a presentation will not be effective.

Using key performance indicators

It is a good idea to identify Key Performance Indicators (KPIs) using your organization's business goals and map them to security risks. Mapping security risks to key performance indicators helps to get acceptance from management for your Least Privilege Security project.

Note

A Key Performance Indicator (KPI) is a metric used to measure the success of a process that helps a business reach a predetermined goal or objective.

Show management how Least Privilege Security, or preferably its parent project, will help you better manage security incidents. While it's useful to have data about how many security incidents the IT department has dealt with in a given time period, you should present this information only if it's demanded by management. Try to focus on how efficiently you manage security rather than the number of incidents that were dealt with.

Using key risk indicators

While security incidents on PCs often remain isolated and disrupt activity only for a short time, if you add together all these incidents, the loss in productivity over a long period of time can be considerable.

Note

Key Risk Indicators (KRIs) show the likelihood of a security incident disrupting business activity, and so directly affecting the company's bottom line.

For instance, if sales people need to sell a certain number of units in a given time frame, identify how a security incident might prevent that target from being met. This is part of demonstrating that security is a business problem, and not something that is just an issue for IT.

It may be useful to create your own KPIs based on how IT supports business processes, rather than relying on those stated in business documentation, making it easier to map KRIs to KPIs. You'll need to have a good knowledge of your business and the industry in which it operates to truly understand the motivations for particular KPIs.

Mapping CSFs to KPIs

Rather than looking at a list of key performance indicators for your company, it may be easier to examine security issues faced by your IT infrastructure, identify how they might affect Critical Success Factors (CSFs), and then map them back to the appropriate KPIs.

Note

A Critical Success Factor is an important activity that ensures a business will meet a goal or objective.

As someone who is knowledgeable about your company's IT infrastructure, you know what the security issues are. Looking at a list of KPIs and trying to map them to security issues could be a daunting task. Security incidents affect productivity, compliance, and business continuity on a micro level, making it hard to map security risks to high-level key performance indicators.

Computer systems create operational and compliance risks for your business. IT systems are so critical to the operation of most modern businesses that almost any risk introduced into a computer network has the potential to affect a large percentage of a company's KPIs. When presenting information to management, try to avoid using IT KPIs as the main focus, and if they must be included, do it sparingly and as the last example.

The following diagram shows how IT security risks can negatively affect the business bottom line using two terms that business leaders understand—key performance indicators and critical success factors.

Security metrics

Data from Intrusion Detection Systems (IDS), firewalls, and antivirus software can be used to help security professionals improve service and provide evidence for the need to implement new systems and projects. Data can be collected automatically and reports can be generated by security systems to show the extent to which security risks are a problem across the enterprise.

Threat modeling

Threat modeling may also be used as a means to show the effect of security incidents on critical business processes. Applications such as Amenaza's SecureITree can help you build detailed threat models to help promote security initiatives to management.

Reducing costs

Show management how future costs will be reduced by implementing Least Privilege Security or its parent project. A simple graph, based on data that you've collected might be used to prove how your project can save money and help improve productivity.

Instead of trying to forecast how much such a project could save the business, if you can get backing, try to conduct a trial on a small number of users. You can then compare before and after data to demonstrate that your project will make a difference, if implemented throughout the enterprise. Running a trial is more effective than presenting facts and figures without any real evidence of the benefits to your company. Obtaining hardcore data to show how Least Privilege Security improves IT services is not easy, so it's likely that you will have to prove the benefits to management yourself.

The following graph is an example of how you might demonstrate to management the benefits of a desktop refresh project in reducing help desk costs and increasing productivity over a three-year period.

Security adds business value

Tell managers how Least Privilege Security, or its parent project, is going to add business value. Strong security helps business continuity. In the event of a serious virus outbreak, Least Privilege Security on the desktop can help minimize or even prevent systems from crashing and being subject to data loss.

If you formulate a security risk programme, it's useful to include governance on how security decisions are made. If the final say is down to upper management, record that fact. So, when security issues arise, it's clear who was ultimately responsible if the decision to ignore key risk indicators was taken.

Setting an example

Employees take the lead from their managers, so if a project to implement Least Privilege Security is to be successful, you must have management buy-in. Not only should management support your initiative, but they must also be prepared to set an example and opt in as well. Only too often, managers decide to exclude themselves from Least Privilege Security, on the basis that being a part of management is a good enough reason to be exempted. If managers don't think a scheme is important, then employees won't follow suit. Managers should also be held accountable, as they often like to exempt not only themselves but also the staff in their charge, without a solid justification.

Tip

Sysadmin standard user accounts

Sysadmins should also run with Least Privilege Security, thereby helping to set an example and catch problems related to standard user accounts in advance of its deployment across your enterprise.