At a recent IT Roadmap show โ a travelling road show that brings Network World columnists โto lifeโ โ I met two security professionals who lamented their companyโs security policy choices. I know that discussing the policy at a show wonโt change it, but itโs therapeutic to commiserate about poor security policy decisions. Of course, I only have part of the picture, so itโs unfair to judge those policy choices. I go for therapeutic and interesting over fair in this particular instance.
The company in questions (nameless of course) has chosen to ban all forms of instant messaging. This is a pet peeve of mine because our research shows that IM has a compelling ROI, both in hard dollars in areas such as sales, and even more so in soft productivity dollars. I am a firm believer in security that enables business risk where the risk brings a compelling ROI or competitive differentiation. After all, if weโre not willing to accept some risk we should probably disconnect from the Internet and shut down the business. This argument is over IM but it is exactly the same argument that I had 15 years ago over โconnecting to this Internet thingโ at financial services firms. Iโm guessing that in the earlier part of the previous century there was a security professional arguing against the use of this โtelephoneโ device that was in fashion among the younger generation.
But regardless of the relative merits or risk of using IM in a business setting, this same company has every user run Windows as an administrator in order to support some legacy application. Not only is it a supremely bad idea to run Windows as an administrator, it also makes it almost impossible not to ban IM as a follow up decision. If you set your policy to trust the user as admin, you canโt trust them to run any codeโฆ This truly boggles the mind and is a classic example of missing the risky forest while obsessing about risky trees.
It reminds me of this documentary video from the 1970s showing anti-nuclear protesters outside a nuclear power plant. Theyโre all chanting โNuclear Power Kills!โ Every second chant, most of the protesters stop to take a deep drag from their cigarettes. Thirty five years later, would anyone want to bet as to how many of those protesters died from nuclear power vs. smoking? Perhaps when modeling risk in society we have to consider smoking as more dangerous than nuclear power (and therefore consider sugar as more dangerous than terrorism because of the diabetes epidemic).
In a business you must make risk decisions with a comprehensive and self-consistent model. You canโt optimize risk locally โ because of the โweakest linkโ characteristic of security. Which is exactly why I rant about security policies like this. They represent the โno one got fired for banning IMโ brand of weak reasoning that allows some security people to drop the consequences of risk-avoidance on business productivity and competitiveness, while making the โsafeโ choice.