I’m old. I admit it. I have a record player and some vinyl records. I like it. I know that there are many ways to make it sound better, but it sounds good enough to me. I also know that other people prefer digital. Analogue doesn’t sound good enough to them.
As a security professional, I’m sometimes asked “How much security is good enough?” It’s a simple question but the truth is that no-one knows and, probably, no-one ever will.
“Do a risk assessment….introduce good metrics….engage with the business” I hear you say. Sounds good, sounds right, sounds like common sense advice. People build careers on that advice.
The problem is that it’s a matter of perspective. Just like my records, perspective is an analogue thing.
In security, we talk about threats, vulnerabilities and risks. But, to what? The normal answer is “to assets”. We try to focus on something concrete, something static, or something more tangible – an asset. By doing so, we remove all the varying perspectives. What does that “asset” mean to the people who created it, work with it, depend upon it or simply watch it pass by?
We try to assign assets to owners and ask them to describe how important their asset is in all possible contexts. But how can they know that and why would they try? How many times do we see the CIO, the section head or, worse still, no-one listed as the “owner” of great swathes of assets?
It’s artificial and lacks the complexity that is the reality of modern work. It’s a digital response to an analogue world.
In most IT enabled organisations everyone is a user. Users take decisions all the time and often, very quickly. Those organisations blessed with users that take the best decisions, in the quickest time, succeed. It seems obvious then, that allowing users to take quick security decisions based on their real-world perspective rather than on predictions made by an “asset owner” some time ago, is a good thing.
The best security policies, procedures, standards and working instructions empower all users to take good security decisions as necessary to achieve their work objective taking account of the threats that they perceive. This approach causes a shift towards addressing threats that change rather than following rules that don't.
Look through those security documents and I think you may see what I mean. Look for the directions that constrain or don’t make sense in your context. Test whether your colleagues, particularly those with responsibility, understand them. If you or your colleagues can’t understand the reason behind a direction, why would anyone else? Look for the permission statements that demonstrate management support. “You are permitted to do x within these limits:” is far more contextual and empowering than “you are not permitted to do y”
It’s no coincidence that management support and user awareness are recognised as important factors in both security and user empowerment.
I’m not advocating the removal of limits. Limits are vital, but ineffective if they are not clearly understood as being helpful. Success in setting good limits can be measured by the number of exceptions that are needed. A justified exception is an indicator that a limit may be wrong.
If you read a security direction and know that it gets in the way or that it is rarely done by colleagues, why is it useful? It’s probably constraining someone else and reinforcing bad opinions of security decisions. It is just as important for a security manager to understand a justified exception as for a user to understand a justified limit.
Good security management isn’t achieved by lots of small binary directions. Neither is it achieved by trying to predict risks to all the assets in all their possible contexts. It’s achieved by empowering people to make informed decisions within limits which are relevant to their job and then supporting those decisions.
Let’s become more analogue.