HomeCareer Management

Information security vs politicized information security

Like Tweet Pin it Share Share Email

Politics, according to Larry Hardiman, whoever he is, comes from the Greek “poly,” meaning many, and “tick,” meaning blood-sucking parasite.

It’s hardly a fair characterization. Politics is the art of finding a path forward for a collection of people who disagree … often strongly … about even such matters as where forward is.

But (news flash!) politics can get ugly. One of the many ways it gets ugly is politicizing topics that aren’t intrinsically political.

Take, for example, information security (you thought I was going to dive into climate change or evolution by natural selection, didn’t you?).

In the unpoliticized world, information security is (to oversimplify things more than just a bit) a matter of making rational choices about protecting an organization’s data and applications portfolio from intruders wanting to steal the former or alter the latter.

What makes these decisions interesting is that with very few exceptions, every additional increment of protection raises not just the direct cost of security, but also barriers that impede the flow of work, making an organization just that much less nimble than it would otherwise be.

Information security should be, that is, a collection of deliberately chosen trade-offs between risk and cost on one side and effectiveness on the other.

It’s how information security works in companies where the need to avoid blame hasn’t irretrievably politicized it. Which is to say, out of the 100,000 or so U.S. businesses with 100 or more employees, it’s how roughly 142 practice the discipline. For all the remaining 99,858 businesses, information security is a politicized mess. (I arrived at this number by typing three keys on the numeric keypad with my eyes closed. I challenge you to arrive at a more accurate estimate.)

Because the driving force is blame avoidance, the way it plays out is that instead of making trade-offs between cost and risk on the one side and running an effective business on the other, InfoSec goes into full prevent mode: Plug every hole, address every risk, and, most of all, require every password to be at least 42 characters long and chockfull of punctuation marks, numbers, and both capital and lowercase letters, measuring password strength by memorizability: If an employee can remember a password, it isn’t strong enough.

All of which leads to frustration. I’m not referring to the frustration business users feel, although that is generally intense. I’m referring to the frustration InfoSec experiences because it never has enough budget or authority to prevent all possible mishaps from occurring, even though it will always be blamed for anything that goes wrong.

And things will go wrong, not only in spite of InfoSec’s efforts, but also because of them. The reason is simple and predictable: Raise barriers enough, and employees stop seeing them as protections they should respect and start seeing them as impediments they should work around. Writing passwords on Post-It notes is just the most visible example. DropBox, jump drives, email attachments and all the other ways employees manage to take files with them so they can get work done are probably more significant.

It would all work much better if InfoSec collaborated with employees to find secure ways to do what they need to do … maybe not perfectly secure, but secure enough; certainly more secure than the work-arounds.

But InfoSec can’t, because when blame-avoidance is the primary goal, secure-enough will never be secure enough. Far better to experience a breach and be able to say, “They violated our password policy,” than to have to respond to an outside security audit that reports the existence of a theoretical vulnerability in a solution instituted deliberately by InfoSec.

The point of this column isn’t limited to information security … a subject about which I know just barely enough to raise the points made above.

No, the point is the hidden costs of a culture of blame. They’re enormous.

When a company has a culture of blame, employees expend quite a lot of their time and energy, and cost center managers expend quite a lot of their budget, time, and energy, doing whatever they can to make sure the Finger That Points points at someone else if something goes wrong.

A small part of that time, energy, and money goes into making the business more effective. Far more goes to CYGM (cover your gluteus maximus) activities that do little other than to provide documentation that whatever went wrong is Someone Else’s Fault.

It’s a problem worth solving. How? That will have to wait until next week.

Comments (4)

  • Our hospoital IS department has banned internet use of the words “breast, vaginal, anal”, and anything to do with firearms. It makes it very hard for our internet based ordering of supplies, for instance vagial or rectal probes and clamps, or to investigate ballistic characteristics of bullets for autopsy reports. If you need any of these, they come and give you one time access.

  • Bob,
    I have been a long time reader of yout column and enjoy the discussions but the size of your recent e-mails have become excssive. Half a megabyte for mostly words with a few pictures seems outrageous. Please tone down the resolution. Otherwise, keep up the good work.


  • Unless you have an objection or another source, I may refer on occasion to LEWIS’S LAW OF PASSWORDS:

    If an employee can remember a password, it isn’t strong enough.

    (from anonymous, please)

Comments are closed.