3 Common Ways Security Fails People


Nothing gets me going in the morning like a good ol' fashioned dust-up over "security" measures interfering with my ability to get stuff done. It just reminds me of how far we still have to go in order to fix all the wrongs of our past lives. Here are three (3) areas in which I think infosec fails people and shoots itself in the foot, undermining credibility for the future.

1) It gets in the way. Tying into that legacy concept of security's "culture of no," we seem to have a tendency to get in the way. We've created the enablement culture where we tell everyone else "don't worry, we'll take of security," but then we've screwed that up, too. And then when people actually need to get stuff done, rather than helping them, we mire them in process and policy and bureaucratic inanity. It's no wonder developers and business leaders eagerly plop down a credit card to by cloud-based computing services that allow them to quickly bypass all our stupidity!

2) It makes life more difficult. Control for the sake of control can be problematic. Security measures need to be easy and comprehensible whenever possible. Surreptitious changes that negatively impact peoples' ability to get work done is a bad thing, and it will not have a positive outcome for your efforts. Case-in-point, OWASP made a change recently to only allow owasp.org domain accounts to have access to their Google Apps instance. All good and fine in theory, except that it wasn't communicated (that I'm aware of), and it blocked me from conducting chapter business (updating a calendar of all things) because a) my personal account no longer worked, b) someone then had to add my owasp.org account to the calendar, and c) I somehow failed to record my new password for a forced owasp.org account update due to a (potential) security incident and account clean-up effort. If we make things more difficult and don't communicate that changes are happening and why they're needed, then we shouldn't be surprised when people get perturbed, frustrated, or simply find ways to bypass security altogether.

3) It doesn't understand what's important. I have a whole separate post brewing on the topic of "impact" and "value," but let's boil this down real quick: What's important is allowing the business to operate, thrive, and grow. That means not impeding key processes. It means helping ensure that every dollar spent on technology is done so wisely, and not out of some sense of "shiny object syndrome" or because such-n-such vendor says their tech is a "must have" for the year. More often than not, infosec people have a lousy reputation for failing to "get it" in terms of what is important to the business. This topic is well beyond simple IT realignment theory. It's a fundamental disconnect. Your job as a security professional is not to "stop bad things from happening" - it's to protect the business while allowing it to function. Understand all that that statement means and you'll be much better off in the future.

AND... finally... a bonus point to drive things home... says Gunnar Peterson:

We shouldn't look at security as a one off, an isolated department of "specialists", but rather leave the ivory tower and look for tools, processes, and training that help the people on this list do their jobs better. Making it faster, better, cheaper and easier to consume and integrate security services into their daily work is the biggest security influencer of all.

So... a little bit of a rant to help you get through the middle of your week. Fire up! :)


How exactly does security work and yet not get in the way? Isn't that inherent?

To your second point, and while it may not be the core point, but maybe you made things difficult by not using a standard account to access Google Apps? :) I understand your point, but in many cases people do things wrong and then blame security. It's like giving an angry glare to the curb on the side of the street because it bumped into you on a snowy, slippery day.

This isn't me arguing or angry so much as just discussion-banter.

In fact, let's just dive into item #3. Even something like ISU and standards may impede processes. But it does so in the hopes that in the long run a process will withstand adversity, be predictable, documented, and understood by everyone. Often, security gets misunderstood as control for the sake of control, rather than control for the sake of the business, stability, predictability, and security. At least, that's my token devil's advocate on that. :)


About this Entry

This page contains a single entry by Ben Tomhave published on December 7, 2011 11:58 AM.

Various Updates was the previous entry in this blog.

3 Uncommon Solutions for the 3 Common Problems is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7