If you would like to read the other parts in this article series please go to:
- Complacency: the 8th Deadly Sin of IT Security (Part 1)
- Complacency: the 8th Deadly Sin of IT Security (Part 2)
In Parts 1 and 2 of this 3-part series on the dangers of complacency in the IT security world, we’ve talked about what leads to complacent attitudes and how attackers take advantage of our complacency to further their attacks. We’ve built the case for taking the problem of complacency seriously, but at this point you might be wondering what specific steps you can and should take to combat it. In Part 3, we’ll discuss some tips for maintaining vigilance without going overboard. Some of these techniques are just common sense; some will be familiar to you as general best security practices, and a few may surprise you.
Don’t get too comfortable
Complacency can be thought of as the “too comfortable zone,” because it’s usually a sign that you have grown too comfortable with your role, the security technologies you depend on, and the assumptions that you make based on past experience (e.g., “it hasn’t happened yet so it won’t ever happen”). When you start a new job, you’re generally uncomfortable because you don’t know what to expect. Thus you’re hyper-vigilant, on the lookout for problems. Getting comfortable is a natural progression when you’ve been on the job a while.
The problem with getting too comfortable is that it leads to a mental state that those in police combat training call “condition white.” This is based on the mental states of awareness model developed by the late Colonel Jeff Cooper. The color codes range downward from red, a state in which we’re engaged and fully focused on an immediate threat, through orange (heightened awareness in anticipation of threat) and yellow (relaxed but alert) to white (oblivious to what’s going on and likely to miss indications of impending trouble). This model was created in regard to physical self-defense but it’s just as applicable to network admin or security personnel tasked with responding to threats to the network rather than to their own physical well-being.
The goal is to be, whenever you’re on the job, no lower on the scale than condition yellow. In this state, you are constantly aware of what’s going on without overreacting. The good news is that you can teach yourself to stay in this state of awareness and once you do, it becomes your natural default setting. But that requires that you change your way of thinking.
When I was teaching officer safety practices at the police academy, one of the most important exercises I had recruits do was form the habit of “if/then thinking.” That means evaluating every situation, even those that are seemingly routine and innocuous (especially those that seem routine and innocuous) and ask themselves “If X occurred, then what would my response be?” If you’ve already considered the possibilities beforehand, you don’t have to stop and think about it when it happens, and that means your response time will be much quicker. On the streets, faster response to a threat can mean the difference between life and death. In the server room, it can mean the difference between losing your data, having confidential information exposed, or having the network go down and preventing those things from happening.
Of course, the first step in countering the effects of complacency in yourself and your team members is to recognize that it exists. The natural tendency of IT pros reading this series will be to think of someone else they know who demonstrates the symptoms of complacency and fail to see it in themselves. Think about how your attitude toward your work differs today from when you started in that position or with that company. You don’t become complacent overnight. In fact, the first stages (increased confidence in your skills and solutions) are actually positive developments. It’s when you move past that to the point where you’re taking the security of your network for granted that it becomes a problem.
Once you’ve recognized complacency as a problem and started to engage in if/then thinking, you’ll also be much quicker to recognize security problems in the early stages, before irreparable damage is done.
Reassess on a regular basis
When I was teaching new police officers how to develop their problem-solving skills, I used a simple acronym to help them remember the steps in the process: SARA. That stands for See (become aware of the problem, which will happen early if you maintain a “condition yellow” state of mental awareness), then Assess (determine what’s happening – remembering that things are not always what they initially appear to be). Next, Respond (which you can do quickly if you’ve engaged in if/then thinking previously, to plan what you would do if a particular type of attack or incident occurs). But a very important and often ignored step is to Assess again.
Things change. Your response itself is likely to change the situation – sometimes in unexpected ways. You must now assess whether your actions were successful (did they stop the attack or address the vulnerability?), were partially successful (did you slow down the attacker?), made things worse (did you fall into the trap of a clever attacker who predicted what your response would be and exploited it?) or had no effect. You may need to continue with or escalate your response actions or you may need to formulate a completely different response. Ongoing reassessment keeps you on your toes and prevents becoming complacent.
Complacency involves being overly trusting. You trust that your firewall, IPS or other security mechanisms will provide absolute (or at least “good enough”) protection. You trust that users will follow instructions and policies and never deviate. You trust that if you follow a checklist of “best security practices,” your network will be safe. Remember the old adage: Trust, but verify. Don’t take anything for granted.
Those security solutions may have been the latest and greatest two years ago when they were deployed, and you’ve installed vendor updates faithfully, but do you know that they’re still working as expected? Regardless of how much training you’ve given users and how explicit your policies are, human nature dictates that some of them will find ways to engage in unsafe practices (whether deliberately or inadvertently) – especially if there’s no regular follow-up to the training. Best practices provide a good foundation for securing the network, but they’re not a magic shield.
Maybe you’re outsourcing some of your security to a security-as-a-service company. Do you believe everything the sales rep tells you? Can you really just put it all in their hands and forget about it? That’s a breeding ground for complacency. Don’t just automatically accept claims that this service or this software provides adequate protection for your particular needs. Ask questions. Find out exactly how it works. Ask about particular scenarios. Get statistics. Get references from other customers. Don’t take anything for granted.
Shake things up
Because complacency stems from “getting into a rut,” one way to address it is to make changes in your routine and/or role. Cross-training, whereby different team members learn to do the tasks that are normally allocated to others, not only prevents a situation where one person’s absence – either temporary or permanent – leaves the entire department or organization in the lurch because nobody else knows how to do his/her job. It also tends to eliminate complacency, because as we discussed before, people who are learning new jobs are less likely to be complacent.
Not only will you find yourself less complacent about the new tasks that you’re learning, but you are also likely to view your own job in a different light when you start teaching it to someone else. Because you can’t take for granted that the other person understands the underlying reasons for the way you perform tasks, you’ll be forced to think about those reasons (and possibly challenged to defend them or even to consider doing things differently).
Never stop learning
Cross-training isn’t the only kind of training that can combat complacency. I’ve seen it happen many times: an IT pro who has grown a bit bored and complacent attends a good training session and comes back all fired up about his/her job again. Attending outside training programs or bringing in an outside trainer for a day-long (or more) session can inspire you to “think outside the box” – the box being the comfortable little groove that you’ve become accustomed to.
Professionals in licensed occupations (such as a medicine or law or engineering) are usually required to complete a number of hours in continuing education each year, to ensure that they’re up-to-date on at least the basics of new developments in their fields. IT security is a largely unregulated occupation, and that’s another thing that allows us to get comfortable and complacent and “skate” on our existing knowledge and skills – until a crisis occurs and we find ourselves over our heads.
IT, including security aspects, changes at least as rapidly and probably more so than other professions, so on-going training is a must. Some managers may see it as a waste of time and money, but it’s actually an excellent investment that pays off in a more secure network as well as contributing to job satisfaction and personal skills development.
Complacency isn’t a character defect; it’s a normal human reaction when people fall into the comfort zone of a familiar routine. However, if it’s your job to protect and serve – whether you’re protecting lives and serving the public as a police officer or protecting the network and serving the company as an IT professional – complacency can be dangerous. Recognizing the signs in yourself and others and taking sets to combat it can save your company money, embarrassment and time, and might even save your job.
If you would like to read the other parts in this article series please go to: