Tuesday, March 23, 2010

What is a CISO? [2/2]

Security is not about putting an appliance somewhere into the network, it's about mastering what you do. It means strictness, control, review, enhancement. That's not what the typical IT guy wants to do everyday. He wants to serve users with the lowest amount of personal work, which at first glance means without security. That's why security may primarily look like a constraint.

But it's not. Security is not only a constraint, it's an enabling mechanism. When you have good security you can do more things. A simple illustration is that you can drive very fast on a motorway because you have good brakes. If you didn't have them, you'd never allow yourself to drive faster than 60mph.

So, when I talk about giving staff a sense that security is not only a constraint, I mean underlining to them how much you can achieve with security that you couldn't without. Let me draw a few examples from live situations I've seen in companies or heard about on the Internet:
  • When you have precise inventory management over computers and printers, you may be able to recharge other services more equitably.
  • When you have a precise 1 identity for 1 account policy, strictly implemented, you may go one step further by implementing an SSO.
  • When you are able to tweak and audit the work of your contractors for remote maintenance, you may be more willing to ask for remote maintenance.
  • When you have backup systems, up to the task, for all of your main services, you can grant your admins an additional week off.
  • On the same level, when you don't spend hours running after viruses, you can spend those hours on implementing new things.
  • When you have a solid web proxy and a sound policy for it, you can grant Internet access to more employees.
  • When you have an automated RBAC system, you can ensure users are served in a shorter time at their arrival in the company.

The thing is, security guys know this way of thinking about security but they most often communicate around obligations, constraints and legal requirements. That's why it looks as if security is a constraint. (Think about Dilbert's preventer, Mordac!)

That way of thinking is something I didn't see in Bruce Schneier's book Beyond Fear, however interesting that book is. (See Scott Granneman's notes about the book.) Bruce suggests a five step method to assess the value of a security measure:
  1. What assets are you trying to protect?
  2. What are the risks to those assets?
  3. How well does the security solution mitigate those risks?
  4. What other risks does the security solution cause?
  5. What costs and trade-offs does the security solution impose?
But Bruce forgets about number 6: What do you get with that security measure besides protecting the assets?
That's why I think his view about a national ID card is flawed. When you live in a country with a national ID card as I do, you see that it allows businesses starting from the smallest shop to have a good idea about the identity of buyers, in case they would not pay. Sure the ID card is not impossible to fake, it's simply too hard for the passer-by
to fake.