Managing to the biggest risk.
Wherever two or more people are gathered, there are politics.
This is no different in security, and yet very few people acknowledge this in their risk models, perhaps because the potential loss there is so hard to quantify. And yet the political aspect permeates many of our risk decisions, and affects them either positively or negatively.
Take a simple example: let’s take the discussion that always happens around a security breach. People want to know whether someone was fired as a result of a breach or otherwise disciplined, and unless you actually identify a likely suspect and see him cleaning out his desk, you’ll never get an answer. This is for a very simple reason: it is generally company policy never to discuss HR matters. Whether it’s out of a fear of litigation or simply out of discretion, management will never confirm or deny disciplinary actions. This makes your life more complicated if you work in security: you CAN’T talk about what you know. You can’t hold anyone up as an example of what really happens when you circumvent the web filters and download porn, even if it would help you motivate everyone else to follow the rules.
Another example: it would be a lot easier to prevent phishing and malware from entering your network if you could just block email from those pesky customers. But because it could be a legal or public relations nightmare if you were seen to be ignoring a member of the public, you have to open a lot more bizarre messages than you really wanted to.
We all know someone in our organization who either gets away with the security equivalent of murder because of Who She Is, or conversely, who has to be protected even more stringently than others because a security incident would cause more political damage.
But if you’re working for an organization that carries more than its fair share of political risk—say, because it’s a entity everyone loves to hate—then just about every operational decision you make will have a tinge of political calculation to it, and your organization as a whole will have a much more defensive posture. For example, if you live under the threat of FOIA requests, your considerations of how and whether to retain email—and even when to use email at all—will be heavily influenced by your calculation of the political risk if even something innocent is obtained and misused by someone with an agenda. You’ll start walking down the hall to have any conversation on a topic that you think might possibly be used against you somehow in the future—even if you are having a perfectly legal, ethical and sensible discussion. You will retain documents exactly as long as you are legally required to do so, and no longer; you won’t simply archive everything and forget about it the way another organization would, because every written record is a double-edged sword.
An organization under political threat will manage to that threat rather than to the security threats we usually think about. Practically speaking, CEOs are a lot more afraid of auditors and attorneys than they are of hackers, because they can calculate the event frequency of being audited or being sued a LOT better than they can figure out how likely they are to get pwned. This is also why they will manage to the flashiest, most recently headlined security threats rather than the ones from last year (that still aren’t mitigated). They will try hardest to avoid that which is most embarrassing rather than that which is most probable or will cause the most technical damage.
And what is most embarrassing can depend not only on the type of business you’re in, but also on your organizational culture. Josh Corman, who has the annoying habit of rooting my thought processes on a regular basis, posed the question today: How do personal politics affect the way you approach Security?
In my experience, personal politics can affect your security work quite a bit—whether it’s deciding how much to monitor employees or formulating an answer to a complaint. If you’re the kind of person who strongly believes in authority, you will tend to use more of an enforcement model when implementing security, rather than using a persuasive, consensus-driven approach. If you distrust authority, you will spend as much time working to protect peoples’ privacy as to protect the systems they use. If you were to take a poll of which security professionals believed there was (or should be) no conflict between security and privacy, I think you would be able to intuit quite successfully the respondents’ political leanings, along with their preferred management styles.
So I believe politics can affect both how you assess and prioritize your security risks, and how you go about mitigating them. If you had some kind of magic Silly String that you could spray into your organization to highlight the invisible political tripwires, you’d have a much broader picture of your security risk landscape.
(0) Comments • Permalink •
