Security’s greatest hits.
In all the initiatives I’ve rolled out in my (checkered) career, the ones that have gotten the most acclaim from my management have always been the ones that were most visible to the users. They turned out to be popular if they:
- were used directly by the users
- allowed the users to do something better, or faster, or better AND more securely
- helped reduce the risk of a legal problem
Never mind that we might have done something much more impressive with the firewalls, or monitoring, or something “under the covers.” It might as well have been plumbing. I could have gone to them and said, “We’ve replaced everything with the finest tubing and we won’t have any more leaks for 20 years,” they would have said, “Oh. Fine. Next?”
This is just to point out that not all “security impacts” are equal. We may spend a lot of time Fighting the Good Fight to secure against cross-site scripting, for example, but it’s often seen as much more valuable if it secures the way people are using data. In the eyes of the business—the ultimate risk decision maker—the more it affects/helps the users, the bigger the win. So from a practical point of view, they’re using a very different set of risk factors than we are from behind our consoles and our dashboards.
Which set is “correct,” which view provides the best understanding of the actual security risk, may never be determined. But an ISO’s job is to try to understand and reconcile the two as far as possible.
Posted by shrdlu on Thursday, May 22, 2008(2) Comments • Permalink •
