Interaction between Security and Hierarchies
You all know hierarchies. You use them, you work within them and you are probably part of one. This is also true for IT staffers or even freelancers dealing with security issues. Usually there is a team/project leader, a CEO, a CIO and all kinds of specialists from other departments (if the company or organisation is bigger). While the „chain of command“ may not be important during daily routine, it is tremendously critical when incidents happen or when the infrastructure is prepared against compromise. More often than not security-aware admins and developers experience the „override by pointy haired boss“ effect. Checks and balances are great, the budget might confirm this, but once you deviate from routine there’s the nasty blame game. That’s when hierarchies turn to bite you in the back.
Time spent on designing proper hierarchies is time well spent. There are plenty of stories around where the right people had the right idea, but they were overridden. Some of them also took the blame for being overruled. If you are ever going to be in a position where security is part of the job description, you absolutely have to make sure that your voice carries sufficient weight. Any recommendation and decision affecting security must be properly documented and every objection must be recorded as well. Sometimes the security officer is just a job to take the blame without any power to influence infrastructure or procedures. If you ever end up in such a position, our advice is to quit as soon as possible.
How do you get around hierarchies to boost security? Well, it depends on your situation. You can either rearrange positions, design everything from scratch right or use temporary exception. The latter strategy is used in the military when units take over guard duty. Guards are usually soldiers from regular units. These soldiers belong to an unit and have their own commanders. This is undesirable for guard duty, because the task of guarding a facility has its own structure, commanders and groups attached to it. If you use regular soldiers from other units from this, they end up belong to two different hierarchies which have different goals. The solution is a temporary change of the chain of command (the German term for this is „Vergatterung“, stemming from the German word Gatter for gate). During guard duty all guard soldiers only report to a specific selection of officers commanding the guard. All other superiors have no command over the soldiers. In turn guard soldiers obtain the privileges to execute tasks connected to their guard duty (including elevated privileges to issue commands to others). This mechanism allows the guards to do their job.
So if you are part of the IT staff or if you are an external consultant always look out for hierarchies. Make sure your opinion carries meaning. If you are responsible for security, make sure you have the authority to influence decisions or to veto them. If you get the position or the contract without the necessary privileges, then chances are that someone is just trying to outsource the blame. Don’t fall for this trick! Politely phrased this trick is social engineering, plainly stated someone is lying to you. That’s no basis for security measures.