“Compromise” is not a dirty word

compromise

If it wasn’t for the users we could secure the company much more easily.

or

They just don’t get it, we are doing this for their benefit.

We often hear statements like this being made, and sometimes even uttered by ourselves. In fact I daresay they are often made by people in very different support industries, not just information security, but it seems that we harbour these feelings more than most.

Effective security is security that is understood, adhered to and respected. Ineffective security is either too lax, or so tight that individuals do their level best to work around it. They are not working around it because they are subversive elements in our organizations, but rather because it is restricting them from getting their day jobs done; it has become a barrier.

Each organization will have it’s own unique requirements, and even within that organization unique requirements will come about. The finance and legal teams are likely to require a different level or type of security around their work than a creative or IT team. If you have ever observed a creative team in full flow you will understand that the concept of a “clear desk” policy is not only laughable but also extremely restrictive to the very fundamentals of their craft. That same policy however will be more easily understood and accepted by the aforementioned finance and legal teams.

So in this example do you enforce an organisation wide clear desk policy? Probably not. It may make sense to have a departmental one, although in some circumstances this would be harder to police. Or you could implement clear desk “zones”, i.e. areas where it is not necessary to have a clear desk because of other measures. The measure may be soft, such as background checks on cleaning staff or hard, such as supervised cleaning staff.

Variations to blanket policies always cost money, but if you ascertain the potential financial value of that loss and compare it to the cost of the measures you can help your business to understand, adhere and respect the measure you are proposing.

This doesn’t just apply to physical security (although it very frequently does!) but also to technical and administrative controls too. Policies have to be very carefully written and reviewed by the various stakeholder of your organisation to ensure the right balance is struck. Technical controls also have to have this balance. Data Loss protection (DLP) is a marvelous technology that when implemented correctly can reap huge rewards and avoided risks, but it is expensive and time consuming to install and run. Who should ultimately make that decision, you, or the business. (clue, it’s not you).

Don’t be afraid to compromise in your dealings with your organisation. If they disagree with your approach, they either get it and feel it is simply the cost of doing business, in which case go off and look at other ways to support them. Or they don’t get it, which means you need to do a better job of convincing them of the risk in which case, go off and look at other ways of making your point. A good compromise is made when each party respects and aligns to the other parties point of view, not when each party is on fundamentally different sides.

Help your business respect and align to the information security ideals you hold dear, and do the same for theirs and you will always get more effective security.

Tags: , , , , , , ,

About Thom Langford

An information security professional, award winning security blogger and industry commentator. Available as a speaking head and presenter on topics relating to information security, risk management and compliance.

One response to ““Compromise” is not a dirty word”

  1. j4vv4d says :

    I agree with the sentiment of the wisdom you are showing old chap. This itself is a spin-off of the broader issue of communication and understanding the business.

    In most cases, I believe infosec teams wouldn’t need to make so many compromises – or feel as if they do if they took the time to:

    1. Understand the business so as to recommend appropriate controls and

    2. Communicate those requirements and controls in a manner the business understands.

    One of the challenges is a workforce of security professionals raised on a diet of compliance – where things are rigid in both wording and implementation with little leeway for compromise with auditors or regulators either because of the difficulty involved in getting an exception approved, or the reluctance of the security professional to lock horns with an external regulatory body.

    I once locked horns with an external auditor – it wasn’t a pretty sight, made Ivan Drago look tame by comparison. But after a few rounds he was saying, “He is not human, he’s like a piece of iron” – well maybe not those words. But he ended up compromising on his position and everyone was better off as a result.

    That last paragraph really didn’t have a point; I just wanted to try and slip in an example of me being an infosec badass and convincing an auditor to change his ways.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: