LAS VEGAS -- According to a former security researcher and engineer, enterprise security spending has become excessive because business executives don't understand how to calculate risk. At the same time, security professionals drive excessive security spending by implementing technologies that hinder employee productivity, which could ultimately hurt a company's bottom line.
CEOs are writing checks blindly, said Douglas Merrill, former chief information officer and vice president of engineering at Google Inc., and currently the president at music label EMI Group Ltd. One in three executives fund security budgets every year and have no idea why, he told attendees in his keynote presentation that kicked off Black Hat USA 2009.
Merrill, a former security researcher and engineer at the Rand Corp., a nonprofit policy think tank, pointed out that security budgets were relatively immune to the economic downturn, with surveys showing some increasing as much as 5% or more. Security pros continually push for more funding, often stressing the need to avoid data breaches or the importance of completing ongoing compliance initiatives. Exhausted executives usually write a blank check, he said, despite security pros complaining that they're not being adequately funded. "They're practically paving our offices with gold now, and we're still unhappy," Merrill said.
He urged security professionals to loosen restrictions that could hinder innovation at many companies. Merrill pointed out a recent study conducted by Fortune magazine on the best places to work. Overwhelmingly, employees were most productive when they felt free of restrictions.
"Employees felt most satisfied and more productive by having the freedom to innovate and feeling involved in their company," Merrill said.
Even executives with security backgrounds are sometimes hindered by restrictive policies. At EMI, Merrill admitted violating a company information security policy, pointing out that he had an assistant move his schedule onto Google Calendar so he could bypass restrictions and easily access it when he travels. Security professionals need to learn from firms that cater their technologies for consumers -- ease of use directly affects a company's bottom line, he said. In many cases, according to Merrill, consumer technologies are better than technologies in the enterprise.
Many data breaches are happening because of silly mistakes, such as employees throwing out sensitive data instead of shredding it, yet, according to the former Google CIO, companies are investing millions of dollars in new technologies that monitor employees and cut off access to data and systems. Companies are turning to automation to eliminate human error, but Merrill referred to Google's engineering processes and its encouraging atmosphere as a proper model.
When he was at Google, he said systems monitored traffic for abnormalities. Alerts were logged and flagged for attention and addressed with minimal disruption.
Google didn't control its engineers' work environment, and as a result, encouraged new, more secure processes. "[Employees] shouldn't feel like they're criminals for being innovative. … If we want to keep our jobs and be generally happy, we have to find a way to help employees innovate."
"We have to make it so security is not a problem," Merrill said.