Last week on my HP blog (Following the Wh1t3 Rabbit) I posted this exact same blog post, but from the perspective of the security practitioner. This post is from the viewpoint of the CxO and it's all about what I think the number one thing when it comes to Enterprise Security is - productivity.
Productivity is a sensitive issue for security professionals, and probably even more so for those managing security and technology units within an enterprise. Let's face it, security in the corporate space is about much more than just securing your company - it's about all the little battles that go into making sure your organization lets you continue to operate in a manner that allows you to protect them ...even if it often is from themselves. You may find yourself asking what productivity has to do with real security, and why a security professional who has held nearly every job in the information technology space including information security management has settled on productivity as my cause. It's simple, really. I feel - and I know virtually every one of you reading this will agree - that the mission statement of every well-run IT organization is to increase the productivity of the enterprise. The animosity that often arises between information security and the rest of IT, and especially the business, is that security tends to be seen as a decrease on productivity.
Let's dive into this in a short analysis and maybe I can make a believer out of you that in order for information security to succeed at its corporate mission, it must prove its worth in enterprise productivity.
Unintended Consequences of Security - the Good
From a productivity perspective, some of the things that information security imposes on the enterprise are for its own good. Productivity isn't just about running rampant and being able to do whatever you feel just to get things done. No, productivity is about being able to make the grand machine of the enterprise run as efficiently as possible, with everyone moving along as swiftly as possible, with every available resource at the right time, all the time, in the most effective manner possible. A good enterprise is agile, efficient, and productive and security can absolutely enable that.
Don't believe me? Think about all those security and operations folks you have working off-hours so your systems can stay patched and current and protected from those things that prowl the Internet looking to exploit your systems and cause unnecessary downtime. Think about how much more productive your employees are when they have systems that are free from malware that slows them down, causes crashes, or forces them to send their computers into depot for repair. Think about how the well though-out policies that you put in place for things like password resets, and other security-related tasks keep your help desk lines from being clogged up with frustrated end-users sitting on hold waiting for support while they could be performing their business duties.
I've got examples of how good security practices from the CxO perspective can improve productivity coming out of my [rabbit] ears... but you've probably implemented some of them and just never thought about it. That captive portal you've implemented so that when a remote user VPNs in with a machine that's missing patches and is out-of-date on anti-malware signatures, which allows them to be sandboxes and auto-magically pushes updates to them, scans their machine and then allows them into the enterprise network ... that's genius. Extending the token-based OTP (one-time password) system across the entire corporate applications platform saves time because it keeps users from having to remember dozens of different passwords ...and consequently forget and reset them, and it ratchets up the security factor. Again, genius. I could go on, and on, and on...
Unintended Consequences of Security - the Bad
It's not all roses and rainbows though, so let's just be clear. When security decides that productivity isn't a priority, and loses sight of that almighty goal of keeping the business humming along first and foremost, bad things happen. You end up with haphazard policies that allow the creation of arcane policies which don't add much to security but create untold complexity and in the end only penalize the users trying to get work done. Missing the balance can have further disastrous consequences, especially if you've ever turned your laptop on during a board meeting to present that all-important slide only to realize that your anti-virus package runs on Tuesdays at 2pm, and it will drag your system to its knees for the next 3 hours.
There are other examples of bad security creating bad productivity too. I've had the learning experience of being part of a team where the CISO mandated that security policies were for the good of the enterprise, and would be absolute. Productivity be damned, security was first, and we were going to act like it. The result of that quickly manifested as software development lifecycle process (SDLC) became adversarial and the CISO and CTO quickly became enemies across the battlefield. While the CTO was trying to decrease complexity and simply 'keep the business running' security seemed to throw up unnatural road blocks all over the place without reason, and not requiring to give an explanation. In the end, the CISO was relieved of his duties and the CTO was moved to a different role without so much responsibility. Productivity suffered during this constant battling, and applications, projects and customers were sacrificed at the altar of 'security' - which we can all now agree is the wrong thing to do.
Look, if your enterprise is putting security first, I'm proud of you. But if your enterprise is putting security above all else then you're probably running unbalanced, and that can only mean your productivity is suffering. After all we have to ask ourselves as security managers and IT leaders - are we here to secure the business, or enable it? I know the answer ... do you?
Unintended Consequences of Security - the Ugly
Sometimes things just get ugly. I've been there, too.
Imagine an enterprise where the CTO and CISO are in constant battle; primarily because they both report to the CIO and that's a clear conflict of interest, but secondarily because they have fundamentally different MBOs or management goals. The CISO is paid to keep the enterprise secure, while the CTO is paid to keep the enterprise running ... and when the goal of security is misunderstood we have a clash of epic proportions.
In one case, the CISO and CTO were sparring over a patching plan. The CTO clearly wanted [security] patches to take a back seat and simply get rolled into the regular patching cycles for his systems set up years ago. Mission-critical systems were patched twice a year, critical systems quarterly and so on. Of course Information Security had something to say about that, and took the fight all the way up over the CIOs head. The result was a lot of hand-waving and politicking, and ultimately some compromises were made. In the end, neither side was happy because nobody "got their way", and when one of the enterprise mission-critical systems went dead after a series of patches (was it the system patch, or the security patch? no one knew... ) were applied the CISO and CTO pointed fingers for days while a huge portion of the enterprise sat on their hands unable to perform common duties like processing orders for customers. Business ground to a halt, and after a week-long ordeal finally resolved the issue by rolling back everything - nothing got applied and security and operations both lost. Not only were both teams severely cut down at the knees, but both managers were fired as were several of their staff. Ugly indeed.
The Analysis of it All
In the final analysis, whether it's security or just IT operations - it's always about enterprise productivity. Security must do everything possible to increase productivity and think about that first and foremost when crafting and implementing policies, procedures and technologies. How will that additional security measure impact enterprise productivity? Can Information Security make a better choice which has a similar security positive impact but a less adverse productivity impact? As security managers and IT leaders your purpose is to ensure that the goals of your enterprise are being met, while you keep the organization safe.
While it may be logical and maybe even elementary to understand that mantra, proving you're doing it right is another challenge. How do you figure out whether your policies, procedures and technologies are in fact helping the organization perform better and be more productive? How can you prove conclusively that you're a superhero CxO because you've not only raised the security bar by 50%, but also helped increase corporate productivity by 20%? Is that even possible? It is. If you've ever been curious ... give the HP Discover Performance and IT Performance Suite a look, it's well worth your time.