Carrot-sticks and security.
When you’re in an enforcement position in security, you have to spend a lot of time balancing the carrot against the stick.
Do you ask someone nicely to stop doing something? Are you afraid of falling into the trap of saying, “Stop! ... Or I’ll say ‘STOP’ again!” Or are you a BSOFH, gleefully fondling your handcuffs and sending flame after flame to every poor sod who clicks on the wrong link?
My personal preference is to use the “carrot-stick”—heavy on the carrot, but with the stick just barely visible, or at the very least understood to be there.
Enforcement in security can backfire if you do it wrong: if you spank people whenever they make a mistake, they will just stop telling you about the mistakes—or, worse yet, stop looking for them altogether. (I suspect we will see at least some of this as the forced-disclosure laws reach a critical mass. You don’t have to disclose what you don’t know about.) On the other hand, you don’t want people mistaking a security policy for a suggestion. A lot of this is in the eye of the beholder: if a user comes from a background where security was up-front and mandatory (say, in the DoD), you’re probably not going to have a problem with him. On the other hand, someone who just made a $2 million bonus is less likely to care what ANYONE thinks, much less someone from the IT side of the building.
So you need to tailor your security reactions to your audience. What is your perceived ranking in the organization compared to theirs? Are they reasonable people, or self-centered twits? Is this the first encounter you’ve had with them, or the twentieth? Here are some different approaches to the same user who has been going to naughty sites and saving certain files locally:
All carrot, no stick: You go to their cube (or office) and explain nicely that you happened to notice that there was some unusual traffic coming from his computer and you’re worried that it might have gotten infected with a virus or spyware. You mention casually that this might happen if one goes to a non-business-related site, and ask if you can arrange a time to have tech support come and examine his computer. Then you go away. By the time you come back, the browser cache and history are magically clear, and the user has stopped whatever it was he was doing.
All carrot, no stick, but mild confrontation: You happen to meet up with the user alone in the elevator, and say, “We were doing an inventory scan of all the computers last week, and I was just wondering: what does ‘anal violation’ mean?” You drop the line of inquiry right there, and by the end of the day, the user’s desktop is, once again, sparkling clean.
Carrot plus visible stick: You ask the user to come see you in YOUR office. This is a mild power play that, if it works, is very effective. (“Oooo, you got called to the Security office!” the co-workers will tease.) Then you put the stick away, get out the carrot, and have Conversation #1 with him. If you’re feeling a little more stick-like, you might add at the end of the talk, “Please feel free to call if you have any questions. I’m sure this won’t happen again.”
Carrot plus more stick: You ask for a meeting in the user’s supervisor’s office.
Carrot plus even more stick: You meet with the supervisor first, without talking to the user. Then, depending on what the supervisor wants to do, you call in the user. When you have clearly already been talking to the supervisor first, it carries more weight.
There are plenty of permutations to this line of work, and they all depend on whether there is an ongoing problem that has momentum, and therefore needs a bigger action to nip it in the bud, or whether you are simply introducing a new policy that you need the right people to agree to. Whether you send out an announcement yourself, or have it sent out by the CEO, also speaks volumes. Putting something in writing is always using more stick than simply having a verbal conversation, especially if you start using language that sounds legal in nature and refers to particular policies or document sections by name. The user will suspect that you are formally documenting something to build up to an official HR action, so only use this if this is a plausible scenario.
Sometimes using peer pressure is more useful than supervisor pressure. If you are working with a certain level of management, it helps to call a meeting of their peers and make sure several of them are already on board with what you want to propose. You get to look like you’re asking for their input, where in reality you’ve decided on something and are simply nudging everyone to march in the same direction.
Finally, if you have actual control of system access, you have a large stick, but you have to be careful how you deploy it. It helps to make it clear with your boss ahead of time that you will only cut off a user’s access if you believe there is an imminent threat to the system itself, and you should notify the boss as soon as you do it. Even threatening to cut off access (say, if you get no response to a user recertification request) is powerful stuff, so make sure it’s a last resort, and make it clear to the audience that it’s a last resort: “If we cannot validate this account, we will have to disable it to maintain our compliance with audit requirements.” “We could not determine the nature of this traffic, so we had to block the source IP at the firewall.”
An ISO without enforcement abilities is like a Beanie Baby without a pencil sharpener up its butt: cute, but useless. Make sure you have a sharp edge somewhere, and when you finally have to show it to someone, it’ll be impressively shocking.
on 03/02 at 06:03 PM:
Very good post. Worth a hardcopy for quick reference!