Tuesday, September 15, 2009

Being the "Bad Guy"

Are we in the "no" business?

I have to ask that question because of what I sometimes encounter in PCI assessments and even PCI training. I recommend limiting Internet access or restricting access to cardholder data or changing a business process, and I am seen as interfering with some users' perceived ability to do their job. I am, in their mind, in the "no" business.

I saw an article in Slate subtitled "Why corporate IT should let us browse any way we want." The author's point is that restrictions such as access to social networking sites or "e-mail and chat programs, dating sites, shopping sites, and news sites like Digg or Reddit (or even Slate)" foster resentment, reduce morale, and are corrosive to creativity. Wow. And I thought I was just protecting the client. Is this guy clueless or am I missing something?

I read the Slate piece because of an interesting and very thoughtful post at Security Catalyst responding to it. The thinking is that while you may not agree with the Slate author, you have to admit that he represents what a lot of users -- your users -- are thinking. Instead of just responding with another rant, maybe we need to listen to the objections...really listen. Maybe we ought to take a look at the restrictions to make sure they really make sense. Then, let's educate the users as to why the restrictions exist. Maybe, and this is where we get a little optimistic, we can even convert some of them. (Personally, I'd be happy for a little understanding...).

What do you do? How do you implement what may be seen as draconian controls by some but that are simply good practice from a risk view point? Have you ever tried to convert a skeptical user or bunch of users? How do you address risks in your employee training?

The problem isn't going away. SANS just released its report on the top cyber security risks and the picture isn't pretty. If you want a good idea of the scale of the threats, just read the first part of the Executive Summary for all the vulnerabilities in client-side software, phishing, and web-based exploits. (Note: I'll be speaking on cyber risk at the upcoming Treasury Institute Symposium in January; plan on this subject being included.)

Looks like I and most of you, dear readers, may be in the "no" business for a while, but I like the idea of trying to convert users -- the IT staff are easy -- to seeing why the restrictions are needed.

Any and all ideas welcome!


  1. I have seen the same reaction you are referring to here about being seen as the "no" business. From my experiences I see this more often from organizations that don't believe change is good.

    Organizations are comfortable with how they have been doing business because their processes have been working. What they don't understand now is what we are faced with today, things like PCI DSS, Data Breach Notification Laws etc.

    So as Security Professionals we need promote better Security Awareness Programs, that explain to the non-IT users what we are up against the risks the organization could be faced with, and how security affects their jobs and what they do not just for the organization but also in their personal life.

  2. Part of that rant in the original article shouldn't be directed to IT at all, but rather HR. It is often (and should be) an HR decision on limiting access to things that may limit productivity. That certainly is not an IT decision. The security/bandwidth/support pieces are IT issues.

    To your statement near the end that IT staff are easy: some of the worst offenders are IT staff. Now, sysadmins and security staff tend to stay between the lines and tend to understand the risks. But many of the other areas of IT are far more willing and able to circumvent policies and wiggle around and do anything they can to get what they want (proxies, hosting their own services at home, local admin rights because their dev tools require it, etc). It gets down into "they think they know enough that it makes them more dangerous."

    I've found that there is often very little chance of convincing someone who doesn't want to be convinced. They will nod and understand that there are security risks and even efficiency costs for IT staff to support such varied and often risky behaviors that most users enjoy when on their home systems. They're being inconvenienced, but they value what they want rather than what IT/security staff jobs require.

    A lot of this, to me, is the same argument against "security ROI" or "security to enable business" and so on. It's a directly inverse relationship most of the time. At least from the standpoint of either users or security/IT. The only people who may truly understand the issues are those in upper management who sign the policies. It's up to them to set the tone of how all the other users express their acceptance or disdain.