At a recent IT Roadmap show — a travelling road show that brings Network World columnists “to life” — I met two security professionals who lamented their company’s security policy choices. I know that discussing the policy at a show won’t change it, but it’s therapeutic to commiserate about poor security policy decisions. Of course, I only have part of the picture, so it’s unfair to judge those policy choices. I go for therapeutic and interesting over fair in this particular instance.
The company in questions (nameless of course) has chosen to ban all forms of instant messaging. This is a pet peeve of mine because our research shows that IM has a compelling ROI, both in hard dollars in areas such as sales, and even more so in soft productivity dollars. I am a firm believer in security that enables business risk where the risk brings a compelling ROI or competitive differentiation. After all, if we’re not willing to accept some risk we should probably disconnect from the Internet and shut down the business. This argument is over IM but it is exactly the same argument that I had 15 years ago over “connecting to this Internet thing” at financial services firms. I’m guessing that in the earlier part of the previous century there was a security professional arguing against the use of this “telephone” device that was in fashion among the younger generation.
But regardless of the relative merits or risk of using IM in a business setting, this same company has every user run Windows as an administrator in order to support some legacy application. Not only is it a supremely bad idea to run Windows as an administrator, it also makes it almost impossible not to ban IM as a follow up decision. If you set your policy to trust the user as admin, you can’t trust them to run any code… This truly boggles the mind and is a classic example of missing the risky forest while obsessing about risky trees.
It reminds me of this documentary video from the 1970s showing anti-nuclear protesters outside a nuclear power plant. They’re all chanting “Nuclear Power Kills!” Every second chant, most of the protesters stop to take a deep drag from their cigarettes. Thirty five years later, would anyone want to bet as to how many of those protesters died from nuclear power vs. smoking? Perhaps when modeling risk in society we have to consider smoking as more dangerous than nuclear power (and therefore consider sugar as more dangerous than terrorism because of the diabetes epidemic).
In a business you must make risk decisions with a comprehensive and self-consistent model. You can’t optimize risk locally — because of the “weakest link” characteristic of security. Which is exactly why I rant about security policies like this. They represent the “no one got fired for banning IM” brand of weak reasoning that allows some security people to drop the consequences of risk-avoidance on business productivity and competitiveness, while making the “safe” choice.