The balance

On February 27, 2005, in Rants, by

Oh my gawd…the enemies are out there….oh no…they are in here…. The Security mentor brings up something along the lines of my password issue….. it’s an issue I call “the balance”.  Every day, each one of us take our expertise and talent and try to balance the forces of needing to do our jobs, needing to secure the information we are caretakers for.  The most secure information is locked up away never shared.  But….you see…. the best solution to our problem might be to share that information.

So every day we connect and communicate and open the holes and go through the firewall and pass the syn acks and all that. 

And every day we balance the access with the abilities it brings.  Push your end users too much security restrictions and you restrict interaction and stifle creativity and business.  Enable freedom too much and you have insecurity all over the place. 

There’s a balance…and that balance costs. 

One of the ways to help set the line, to help determine the right costs for that balance is analyzing and putting mental boundaries around data.  Even if your computer systems don’t categorize data in a “high risk“, medium or low risk, you should.  What is the data that should never ever be let out the castle gates?  Make sure everyone in the office knows to treat that data as carefully as possible. 

When it comes right down to it a lot of this really comes down to the ‘people’ part of the equation.  Make compliance with ‘doing the right thing’ too hard and people will find ways around it.  Make the choices easier to do, and people don’t mind ‘doing the right thing’.

Sometimes the worst enemy of all…. is you.


One Response to The balance

  1. Tim Stull CPA.CITP says:

    We have seen the enemy and he is us…

    I like and totally agree with the concept behind information "risk assessment". The notion that a balance must be achieved is to the heart of the matter. In my experience, the information (content) itself is always the key to the appropriateness of its distribution. At what point does the balance shift from the fanatical pursuit of information security perfection to the benefits an organization gains from having a common situational awareness? The value of information to the entity should not be measured entirely by the damage it could do if subverted to the wrong hands. We must always consider what might happen if we lose transparency.

    I think it is fortunate for the security hawks that each situation is different. The ultimate victory over the blind madness of botts, viruses and the automated security risks out there is our ability to exercise judgment. Beyond these, people can do a lot of damage on their own, but how is that different from what they have done throughout recorded history? The issue of balance really does work in our favor if we stop looking at it as a (thorny) workload issue.

    Yes, it can be costly. But sealing everyone and everything off is obviously more cost prohibitive. I will openly surmise here that if the potential exists to kill even one nano-joule of creative synergy then someone needs to be looking at the balance from a risk assessment point of view. Hopefully that someone it is not security hawk on a personal crusade to become the post in the middle of the information highway…

    I have a lot of faith that most people want very much to do "the right thing". I have to agree that taking away their ability to do that is far more damaging than living with the risk of a lone wolf attacking from time to time.