Freigeben über

Security is a confidence building exercise

  • Artikel

Yesterday I was at a community event in Canberra, well, actually, it was in the middle of nowhere in New South Wales, but that's beside the point. One of the issues that came up there was how to sell security to senior management. Having struggled with this for a while I listened attentively as Peter Watson, Microsoft's Chief Security Advisor for Australia, explained his way of doing it. He uses the argument that security is what enables you to receive business value from the other IT investments you make.

Far be it from me to disagree with Peter, but it struck me that this argument could probably be taken a bit further. Isn't security really about building confidence in your IT? Obviously, security for the sake of security is something only those of us who work on security for a living could love. But what value does it provide to the rest of the world? I think it may be in the confidence it gives us in our infrastructure.

One way to think about it is with an analogy. Have you ever had a really bad car? One that could not be reliably trusted to actually get you to the destination you seeked, and certainly not back? Were you really looking forward to get into it? Of course not. You tried to avoid it at all costs. If you replaced it with a new car you finally got your confidence back and started making trips again.

IT is like that car, and security is the enabler that gives us confidence in it. Ideally you do not want to have to think about it, or have to notice that it is there, or worry about whether it is or not. You still have to have whatever it is that makes the car run reliably though. If you look at the four "pillars" of Microsoft's trustworthy computing initiative a recognition of this seems to actually be there, although obscurely stated: the real objective is to have reliable systems where our information stays private. Security is what enables that to happen. It is what we do to gain confidence in the reliability of our systems. It is what allows us to trust that those systems will be there, will function, and will do what we need them to do. Ideally, security would not get in the way in the process, and that gets us to the fundamental tradeoff I have talked about so often.

Do you agree? Having had the luxury to do security for the sake of security for so many years I am struggling a bit with how to sell it to people whose job it is to run our systems. If you have a great way to do that I'd like to hear about it.

Comments

  • Anonymous
    March 09, 2006
    My personal experience has been that it is surprisingly easier to sell security to my superiors than to my fellow IT professionals.  Perhaps this is because the higher-ups are already indoctrinated with the threats of non-compliance with regulations such as HIPAA and Sarbanes-Oxley.

    Unfortunately, the best I have been able to do with my colleagues is to resort to scare tactics.  "What-if" scenarios that end with a system being compromised or sensitive information being disclosed can be effective, but only in limited doses.

    However, I have had some limited success in lending out my copy of "Protect Your Windows Network."
  • Anonymous
    March 16, 2006
    Just to be a pedant we in Canberra dont see ourselves as in the middle of New South Wales - we are in our own small Territory called the Australian Capital Territory ;)

    the ACT was created because NSW and Victoria couldnt agree who would be the capital of Australia - so they created a seperate Territory.   Back in the 1900's there was a fear of naval bombardment so they placed the capital away from the coast - which is of course redundant now as we have missiles!

    see you at the AusCERT conference
  • Anonymous
    March 19, 2006
    The comment has been removed