Published: 01 Oct 2006
Information security can no longer pit itself against ease of use and business objectives. It's time for a change.
Security professionals know, but won't admit, what the rest of the world--including management, users and customers--long ago figured out: information security in most organizations isn't working.
As the old saying goes, "We have met the enemy and they are us."
We have a long history of saying no to innovations and new business demands. We were guilty of saying no to wireless networks in the early years because of security concerns. In fact, if security professionals had their say, the whole wireless industry would have been put on hold.
Then there are the business scenarios we all know about. Product management or marketing comes up with a great idea to grow company sales and passes it along to security for feedback. The security team, of course, flatly says no--or worse, yes, but only if the company buys three firewalls and spends a quarter-million dollars on an advanced user management system, which is basically a non-starter for the business folks.
Rather than tell the security team to politely "go away," the product and marketing people move on with the project without security being involved. Security finds out a week before rollout, and as a topper, the announcement of the new system comes from the CEO. Suddenly, security's veto power is gone and security is left out of all discussions of new products and systems.
There is talk about building security into business processes, but even with some improvements, users still view security as a problem, and some managers consider it a huge burden with a hard-to-measure benefit.
We believe the security industry has been asking the wrong questions, and we've boxed ourselves into lose-win, win-lose situations. We've pitted security against ease of use, business objectives and customer satisfaction.
Security professionals have also hitched a ride on the FUD (fear, uncertainty and doubt) bandwagon of regulatory compliance. In fact, the product and consulting sides of the industry have formed a duopoly, peddling appliances and services purported to prevent another Enron.
The information security industry needs major change. It must become flexible and easy to use, and designed to reach business goals.
Security products need to become as easy to operate as an iPod for the average non-technical user. Professional user interfaces should be developed with input from security administrators to capture the needs and wants of that community, and not designed by kernel-level, network-stack programmers. Most of all, they need to include features that map to business needs: built-in auditing and a decent interface to access and report from log files in order to satisfy auditors.
For the security professional, it may be time to ask some new questions:
- How can I contribute to the organizational goals without becoming a roadblock?
- What shared interests does security have with the business and how may they be used to build bridges in the future?
- Rather than using FUD to motivate people, can I use ROI and better features to make a business case for security?