By Rich Loeber
Sometimes, we get so wrapped up in what we're doing down in the security trenches, that we loose sight of the overall objectives. When that happens, bad things can occur.
I have mentioned before that we live in a remote community deep in the Adirondack Park in upstate New York. Our house is on one of the larger lakes and that lake is interconnected with a huge system of creeks, streams, smaller lakes and ponds. It is a canoeist's dreamworld. On a recent weekend, my wife and I packed off for an 8 mile paddle with a break for lunch in the middle. It was a beautiful day and the trip was great, until the end. On our return, when we left the protected creek that we'd been traveling on, we saw every canoeist's nightmare; a powerboat pulling a water skier headed straight for us. The boat had the required two people in it, but they were both looking backwards at the skier. It was the skier who finally saw us (as I was waving my paddle furiously in the air) and motioned to the driver to look around.
What was wrong is that the driver forgot his primary objective. He should have been driving the boat, not watching the skier.
After I settled down from this, and survived the wake from this close call, it occurred to me that when we get down in the trenches in our job as security officer, that we too can easily forget to "drive the boat".
What do I mean by this? I mean your overall corporate objectives. Why are you in business? What's your end product? How is it getting delivered? What is your place in the process? Is what you're doing helping to meet the objectives? Or, if you've forgotten to "drive the boat", is what you're doing making it harder for everyone else to keep on track?
Often, in our zeal to keep things safe, we make it hard for everyone else to just do their job. If that's happening in your shop, I'd take a second look at what you're doing. Security should be done in such a way that legitimate users (your customers) should be able to do their job without having to jump through any hoops, not even little ones. At the same time, you need to be able to identify risk areas and set up an environment where unauthorized users cannot easily get to automated company assets.
So, how do you know how you doing? I'd start with checking on your phone calls and end user email. What's the most common complaint in the last few weeks? If you get a lot for the same reason, then this might be an area where you need some attention. For example, do you have situations where you require multiple logons to gain access to your system. Each additional logon takes time and is not very productive. If your risk assessment is fairly low, look at ways to implement a single signon. Do you often get calls from users who can't access some bit of data that they need? If so, it might be time to reassess your data access policies to bring them up to date. Every time someone has to call to get a security change implemented, they aren't "driving the boat" and the results could be very bad.
I'd love to hear your war story along these lines. If you have a good one, send it in and I'll collect and publish them at some point down the road.
If you have any questions about anything in this tip, just ask me and I'll give you my best shot. My email address is rich at kisco.com.Â All email will be answered.