[One of my first Trend Watch essays circa 2000 or whenever Dr. Laura - the queen of saying "no" - was popular]
Dr. Laura: “Hello Kate, you’re on the air”
Kate: “Hi, Dr. Laura, thanks for taking my call. My security dilemma is that I would like to open a port in our firewall…”
Dr. Laura: “ No. Absolutely not.”
Kate: “ But let me explain…If we make this connection to our business partner, we can save $1.2 million in the first 6 months!”
Dr. Laura: “You can make excuses all you want, Kate, but what you are asking is reprehensible, not to mention against policy. [click]. Hello, Nick, you’re on the air.”
Nick: “Hi, Dr. Laura, my security dilemma is I have 75 unique passwords and I was hoping to change them every 31 days instead of every 30.”
Dr. Laura: “How old are you, Nick?”
Nick: “Uh, thirty-four, but why does that matter?”
Dr. Laura: “Because you’re old enough to know better! What you’re asking will create a hole the size of Rhode Island in our computer systems. Suffer for the sake of your company. [click]. Hello, Dan, you’re on the air.”
Dan: “Hi, Dr. Laura. I’ve come up with a way to generate revenue of over $25 million in two weeks using online technology.”
Dr. Laura: “No.”
Dan: “But I haven’t even told you what my security dilemma is!”
Dr. Laura: “I can tell already – a revenue generator that large will put us at risk in an incomprehensible way. [click]”
Sound familiar? Although the conversations above never really happened (couldn’t have guessed, huh?), ones like them occur daily in the lives of Information Security Officers, who are charged with making decisions to protect the interests of their company. Sometimes this is due to the ongoing frustration of being the “paranoid” one in a sea of complacency and other times it is just the easy way out.
The Hurwitz Take: Security is no longer about saying “no”, instead it is about asking “how?” “How” is a much more complex undertaking that should begin with a proper risk assessment and include the application of security architecture principles and techniques to successfully deploy applications that are tearing down the barriers between businesses. “How” is also different from “yes” – “how” ensures that the appropriate level of rigor is applied to the situation to engender a reasonable security posture. Security principles of old must be re-thought and modified to mirror the ever-changing eBusiness landscape.