Thursday, August 30, 2007

Where DO You Draw The Line: Security Responsibility

Warning! Warning! Blogging frenzy ALERT :-)

So, this piece from AndyIT blog and his quote of SANS's Dr Ullrich, touch upon something deceptively obvious: just WHERE do we draw the lines between user vs IT/IS responsibility for security? In fact, the situation is event more complex: it is user vs IT vs infosec team! (and there is also a software vendor responsibility somewhere here....)

Let's go thru some scenarios:
  1. User and IT=0%, infosec=100% Result: failure of security due to technology limitations, lack of control over the environment as well as social engineering
  2. User=100%, IT, infosec=0% Result: trivial case, obvious failure
  3. Then it gets real complex real fast for the cases of shared responsibility ...
Thoughts? Analogies from adjacent fields? Metaphors even? I think this will not be resolved in our lifetime....

UPDATE: AndyIT answers it - "Probably something like Security=85%, IT=10% and Users=5%." See more of his follow-up post here.

Dr Anton Chuvakin