[ISN] Redefining Security the New Goal of Former i5/OS Security Architect

From: InfoSec News (alerts@private)
Date: Mon Nov 26 2007 - 22:16:40 PST


By Alex Woodie 
November 26, 2007

There's a serious problem with the state of security in the IT industry, 
according to Pat Botz, former i5/OS security architect with IBM. The 
problem isn't a lack of tools and technologies for implementing 
security. Instead, the root of the problem stems from a lack of 
leadership from business people, who have given too much responsibility 
to the technical experts. Botz recently left IBM to work on this problem 
with his new consulting company Group 8 Security, which formally 
launches next week.

To hear Botz talk about the state of computer security is a little 
bewildering. One goes into a conversation expecting the security expert 
to talk about the latest encryption standards, strong authentication, 
how to survive an audit, and the need for good intrusion detection--the 
daily cud of the security racket. But in fact those are the last things 
he wants to talk about. What Botz really wants to talk about is what he 
sees as the disconnect between the decision makers in the corner offices 
and technical pros in the server room, and how a good portion of the 
problems in IT security can be traced back to the absence of strong 
leadership emanating from the tops of organizations.

It's a little like getting an interview with Joe Montana, the legendary 
49'ers quarterback, and instead of hearing how he came to perfect the 
two-minute drill that led to so many Super Bowl rings, all he wants to 
talk about is the importance of having a good organizational structure, 
flowing smoothly from the general manager to the linemen. Of course, the 
selection of personnel is a key ingredient in putting together a 
successful football team. It isn't as exciting as watching a master 
execute the two-minute drill, but without a solid foundation composed of 
individuals in positions they are qualified and trained to hold, the 
team's chances of success are greatly diminished.

And that's how Botz sees the state of IT security. Instead of having the 
general manager making strategic decisions that will lead to the success 
or failure of the team, these decisions are being handled at game time 
by the players on the field. Because these players--the IT professionals 
hired to run the servers and maintain the networks--aren't qualified to 
make these decisions, they often end up making the wrong decisions, 
thereby decreasing the security of their company's data, increasing the 
cost of implementing security, or both.

What's even worse is that the business managers have willingly ceded 
this responsibility to their tech-savvy grunts under the misconstrued 
assumption that security is a technical issue that they have no business 
getting mixed up with, Botz says. "Security isn't primarily a technical 
issue. It's a business issue," he says. "Part of the reason, I strongly 
believe, for the dismal state of information security across the whole 
industry--not just the System i, but the whole industry--is because the 
average chief security officer (CSO), the average chief financial 
officer (CFO) has assumed that information security in the electronic 
age is purely a technical issue."

To use another analogy, companies are putting the cart before the horse. 
Instead of defining security policies in plain English, and then 
figuring out which technical procedures and processes will allow them to 
accomplish the goals of that security policy in the most efficient 
matter, companies are forgoing the security policy entirely and jumping 
straight into the technical part of setting policies and procedures. (To 
take the analogy one step further, many companies have abandoned 
security policies entirely--they've gotten rid of the horse--and are 
just pushing the cart around by hand.)

Botz explains the problem using System i terminology. "Security isn't 
about setting QSecurity to Level 40. Security is about explicitly 
stating whether or not people in finance are allowed to access private 
employee data in the HR database. And it's not a technical issue--it's 
purely a business issue," he says. "If the business people aren't 
involved in defining what 'secure' means to that organization, I 
guarantee you there's no way to measure that organization as to whether 
or not it has properly secured its business assets, because nobody's 
defined it. And yet the vast majority of companies are jumping into 
information security at the enforcement stage, at the 'set that value 
this way stage,'" instead of starting with the security policy.

In case you haven't guessed by now, Botz's goal at Group 8 Security will 
be to bridge the gap between business people and technical people when 
it comes to managing security. The company aims to do this by working 
with CSO and IT directors to define their security policies. Once the 
policy is in place, Group 8 consultants will work with the folks in the 
customer's IT department to come up with a set of procedures and 
processes that implement that security policy in the most effective 
manner possible. The company will also work to implement those 
procedures and set up a way to monitor their effectiveness over time, 
but these will often be separate contracts, Botz says.

Botz is adamant about respecting the balance between the level of 
security an organization attains and the cost it takes to get there. "We 
have this saying that security is a function of risk and cost," he says. 
"You cannot consider security merely by looking only at risk. You must 
look at cost. It's the only way you can manage security. And we want to 
help companies make valid, rational business decisions about security 
that put them in the best possible position for that particular 

Group 8 Security will target mainly small and mid-size businesses that 
lack the resources and expertise to implement information security in 
the proper manner, including setting a policy, deducing procedures, 
executing the plan, and monitoring it from long-term effectiveness. 
Bigger companies typically have a more solid grasp on these IT security 
fundamentals, Botz says. However, Group 8 will take larger corporations 
as clients for point projects, such as implementing single sign-on.

Group 8 Security, which is a double-play on the Group 7 security level 
in the hit movie "Tron" and the group of eight industrialized nations 
that make up the G8, will function as a distributed company. Its 
headquarters will be in Reno, Nevada, but its consultants will be 
located around the country. Botz remains in Rochester, Minnesota, where 
he worked in the System i division for a number of years. The company is 
currently ramping up. It has five employees, is looking to hire people 
skilled in the business side of IT security, and already has some 
customers lined up.

Botz says six months into his recent stint at IBM Lab Services--his last 
assignment at Big Blue--helped him to realize the existence of a huge 
disconnect between business objectives and security policies. "I would 
get phone calls mostly from technical people and they would essentially 
say, 'I have a requirement for single sign on.' And that always struck 
me as odd, because single sign on is the solution to a requirement, but 
it's not a requirement," he says. "It's one way to address the 
requirement, but the real requirement to that is 'I need to 
significantly reduce the cost of managing identification and 

But in most cases, the real requirement can't be reverse-engineered from 
the series of processes and procedures that IT people are creating as 
pseudo-security policies in the absence of true security polices defined 
by the dollars and cents guys. "You read SOX, and nowhere does it say 
anything about QSecurity or whether or not QESECOFR should be allowed to 
log into more than one terminal at a time," Botz says. "You just can't 
possibly go backwards from looking at a configuration and determine what 
the policies were you were trying to enforce."

Where many IT folks moan about SOX's lack of clarity and the resulting 
tsunami of complexity, Botz sees illuminated flexibility and government 
rightfully keepings its hands out of telling a System i shop exactly 
which bits should be flipped, and when. "I would argue that it's nowhere 
near as difficult or complicated as it appears to be," he says. "The 
reason why it appears too complicated is, if you don't have a 
well-defined objective, how the hell are you ever going to be measure 
whether or not you've gotten there?"

In many ways, Group 8 Security's goal is education, and convincing 
customers that security is not the black art that it appears to be to 
business folks. "They don't have to be technical experts in any way to 
play their proper role. They should not be telling technology people 
which firewall to use, or even what functions it should have. But they 
should be making clear statements, they should be driving the process," 
Botz says. "Instead, because the business leadership isn't playing its 
role, we have technical people, in effect, making business policy 
decision, and trying to enforce them."

In the end, Group 8 Security is attempting to do something no other 
security consulting company has tried to do: Educate a wide swath of the 
market to the true goals of information security, thereby empowering 
executives to assume their proper place in the line and vanquishing the 
myths of security as a geeky black art forever. It's not quite "Rent a 
CSO," but it's pretty close

"The modest objective of Group 8 is to change the way the entire 
industry manages security," Botz says. "And once we get done with that, 
we're going to attack world hunger. We thought we'd go after the 
low-hanging fruit first."

Copyright 1996-2007 Guild Companies, Inc. All Rights Reserved.

Visit InfoSec News

This archive was generated by hypermail 2.1.3 : Mon Nov 26 2007 - 22:25:00 PST