Company culture
Culture is often a roadblock to innovation and change, and understanding company culture is crucial to the success of any project, technical or otherwise. People resist change, and this is no less true in the area of computer security, as users almost universally perceive security as an inconvenience and something that hinders their work. Users' acceptance of new ideas and working methods largely depends on company culture.
During my career, I've worked for various organizations, each with its own unique culture. If you've never worked for a large corporation or have worked only for small businesses in a specific field, it may be difficult to appreciate the vast gap between cultures, how this affects what can be achieved, and how to go about doing it. Though it's possible (and maybe even desirable) to change your company's culture, that's not what this book is about. Instead, we need to determine what kind of culture exists in your company, and how to work with it so that Least Privilege Security will be accepted.
Defining company culture
Company culture determines how the employees and management of a company behave. For instance, to what extent do employees:
- Help one another and contribute to teamwork?
- Cooperate to achieve common goals that will benefit the company's bottom line?
- Respect each other?
- Understand the work profile of colleagues and other departments?
If your answer to most of the above questions is to a great extent, then it's likely that your company has a healthy culture. This will make deploying Least Privilege Security on the desktop easier in your organization, as users will make an effort to understand the reasons for the project, if properly explained to them.
Should your answer be not to a great extent, you're likely to have your work cut out. Employees may be defensive, unreasonable, have unrealistic expectations, or be aggressive. Also, if it's not deemed by users to be in their interests, IT is likely to struggle to get users on-side with any new project.
Culture shock
Assuming that users are currently running with administrative privileges on desktops and if you plan to take those away from them, then no matter what kind of culture your company has, you need to be well prepared to justify your actions. This is similar to taking a toy away from a small child. If users arrive at their desks one morning to find that they can no longer install the latest version of Quake, you're likely to have a mutiny on your hands.
While it may seem perfectly reasonable to remove privileges, you might be surprised at how quickly management backs out on support for your project, if faced with an unhappy workforce. Users may feel that such measures are draconian and that they are not trusted.
In large organizations, it's often the culture that such security measures are the norm, and employees rarely question security initiatives. However, it's still recommended to plan for the changes Least Privilege Security requires and be fully prepared for any cultural problems that might arise.
Culture case studies
The following case studies illustrate how culture affects daily IT operations. While they represent two extremes, both are common in the real world, including everything in between. It takes only a few days for a new employee to understand a company's culture, but understanding how it influences employee behavior is important for gauging the level of cooperation you're likely to receive.
Company A
Joe Ramsey works for Company A and is the IT department's biggest nightmare. He installs software downloaded from the Internet on his laptop, allows his 16-year-old son to surf the Web unsupervised, and changes settings on a daily basis. Joe calls the help desk two or three times a day, and the operating system on his laptop has to be reinstalled every three months. Joe's machine has been responsible for a denial-of-service attack against the company's e-mail server because of a worm that the antivirus software failed to detect, which cost his company $10,000 in lost revenue and damaged its professional reputation.
Company A is like the Wild West. Despite the costs to the business, users are allowed to use IT systems however they see fit, breaking IT policy at great expense to the company. Systems are not managed in any way and neither are users' expectations. The company's PCs are riddled with malware and illegally downloaded software. Users demand that new software and hardware be installed on their company PCs, whether or not approved by IT, and are perplexed if such requests are not fulfilled immediately.
Despite all the damage Joe has caused by ignoring IT policy, he is still employed. While other employees don't cause as much trouble, there could certainly be more employees like Joe. If the IT department rejects a request to install software or to make some change that doesn't fall into the category of business requirement, users get angry and often complain to their boss. This makes it very difficult for the IT department to manage systems and make changes based on business needs, as the culture allows aggressive behavior to take priority over genuine needs and requirements.
Unfortunately, employees that do comply with IT policy still experience problems with their PCs, with a high total cost of ownership and limited return on investment. PCs require constant maintenance, and the IT staff has little time to invest in improving systems for the benefit of the company's bottom line.
Implementing Least Privilege Security on the desktop in Company A is going to be tough. You will need to have a really strong personality, and be prepared to stick to your guns when the going gets tough.
Company B
In comparison, company B is paradise. Though there is limited management of PCs, users respect IT policy and rarely break the rules. Regular auditing allows IT to detect whether users have installed unauthorized software, and act accordingly.
Employees are used to following IT procedures for procurement of new software and hardware, and don't make requests that they know in advance are not business related. Users wait for the time specified in the service level agreement when requests are processed by IT, and don't use aggressive tactics to get their own way.
This orderly culture will make deploying Least Privilege Security on the desktop much easier, as all requests for service can be reviewed appropriately to make sure they work in harmony with Least Privilege Security. Company B's culture puts IT in a better position to manage systems effectively, invest more time in improving services, and help the company to stay ahead of the competition.