Friday, January 25, 2008
The root cause of weak Enterprise Security
My significant other and I had a conversation last night on why many large enterprises with talented IT security professionals continue to lose their customers data. In my belief, the blame doesn't belong in IT but does belong in the human resources department...
As an agilist, I am a firm believer in people, then process, then tools; in that order. If we look at the people problem, one can chalk it up to buffoonery as that it what I did when both the State of Connecticut and the folks at the Department of Veteran's affairs lost my data but that doesn't tell the whole truth.
Consider the modern day enterprise where the folks running the asylum didn't truly come up thru its ranks. In the same way we probably wouldn't want our local police chief to not know how to arrest a criminal and simply defer the decision downward to others, we do think that this behavior is OK for our IT executives. Human resources has allowed folks who are really good at perception management to run IT but otherwise aren't competent enough to understand bad security practices even if they were written on a billboard blasted in front of their face. Should you as a customer have to rely on the ability of someone in the know to sell the problem spaces and distill it down to a couple of PowerPoint bullets or would you rather have someone in charge that intuitively understands?
This may come as a surprise, but on September 10th, 2001 the notion of secure airplane doors actually existed and there were sales folks making calls on that day. Did you know that some airlines had purchased them intuitively while others such as American didn't. Do you believe that the executives at Israeli airlines as one of its buyers had competencies in place while American only had perception management and bean counters who didn't understand the value proposition?
While it is amusing to attack executives, it is more important to understand what occurs in the trenches. Imagine a scenario where four college students graduate from a prominent university and all decide they want to become IT professionals. The first student says that he wants to work as a server administrator. He hits the books and learns Windows, Solaris or whatever operating system in use and becomes productive. He decides after the first six months that he has a handle of his job and doesn't need to learn anything else until the next product upgrade several years from now.
The second student observes the behavior of the first student and realizes that while time spent learning was temporary, it was time consuming and difficult. In order to avoid the pain himself, he decides to become a project manager. He knows that resources such as PMBok exist and that his shop has an interest in becoming CMMi certified but realizes that even if he doesn't pay attention, someone else sooner or later will reduce everything he needs to know down to a checklist that he can simply follow. Even if this doesn't happen, he can ignore any notion of practice and simply rely on intuition.
The third student realizes that he is pretty good at office tools and has mastered the usage of Powerpoint. He realizes that he doesn't even have to make the effort to understand the details of any problem space and simply realizes that if he leverages the executive approved Powerpoint template, he can come up with much of his information by simply reading Gartner reports. He gets really good at using buzzwords such as alignment, best practices and innovation and incorporates into every presentation. He is a believer in reuse, but only when it comes to Powerpoint decks and not SOA services or even code.
The forth student decides he wants to become a IT security professional. He realizes that he first needs to understand technology and may learn the same thing as student one but to become really competent, he may also spend additional time learning software development. Now that he has multiple competencies, he realizes that it is not good enough just to know how something works, but also needs to figure out in dynamic situations how things may break, he spends even more time. He attempts to help others write high-quality valuable working software but is met with resistance at every turn.
Ask yourself, in a modern enterprise which role has the most likely chance of becoming CIO? Ask yourself as a consumer, which one would you want to be in charge? Ask yourself why you think the two answers are different and more importantly should they be? Do you believe that the folks in these roles should all be compensated the same? I bet you will start to conclude on your own that there are multiple undiscussed deficiencies in the way human resources work in large enterprises...
| | View blog reactionsAs an agilist, I am a firm believer in people, then process, then tools; in that order. If we look at the people problem, one can chalk it up to buffoonery as that it what I did when both the State of Connecticut and the folks at the Department of Veteran's affairs lost my data but that doesn't tell the whole truth.
Consider the modern day enterprise where the folks running the asylum didn't truly come up thru its ranks. In the same way we probably wouldn't want our local police chief to not know how to arrest a criminal and simply defer the decision downward to others, we do think that this behavior is OK for our IT executives. Human resources has allowed folks who are really good at perception management to run IT but otherwise aren't competent enough to understand bad security practices even if they were written on a billboard blasted in front of their face. Should you as a customer have to rely on the ability of someone in the know to sell the problem spaces and distill it down to a couple of PowerPoint bullets or would you rather have someone in charge that intuitively understands?
This may come as a surprise, but on September 10th, 2001 the notion of secure airplane doors actually existed and there were sales folks making calls on that day. Did you know that some airlines had purchased them intuitively while others such as American didn't. Do you believe that the executives at Israeli airlines as one of its buyers had competencies in place while American only had perception management and bean counters who didn't understand the value proposition?
While it is amusing to attack executives, it is more important to understand what occurs in the trenches. Imagine a scenario where four college students graduate from a prominent university and all decide they want to become IT professionals. The first student says that he wants to work as a server administrator. He hits the books and learns Windows, Solaris or whatever operating system in use and becomes productive. He decides after the first six months that he has a handle of his job and doesn't need to learn anything else until the next product upgrade several years from now.
The second student observes the behavior of the first student and realizes that while time spent learning was temporary, it was time consuming and difficult. In order to avoid the pain himself, he decides to become a project manager. He knows that resources such as PMBok exist and that his shop has an interest in becoming CMMi certified but realizes that even if he doesn't pay attention, someone else sooner or later will reduce everything he needs to know down to a checklist that he can simply follow. Even if this doesn't happen, he can ignore any notion of practice and simply rely on intuition.
The third student realizes that he is pretty good at office tools and has mastered the usage of Powerpoint. He realizes that he doesn't even have to make the effort to understand the details of any problem space and simply realizes that if he leverages the executive approved Powerpoint template, he can come up with much of his information by simply reading Gartner reports. He gets really good at using buzzwords such as alignment, best practices and innovation and incorporates into every presentation. He is a believer in reuse, but only when it comes to Powerpoint decks and not SOA services or even code.
The forth student decides he wants to become a IT security professional. He realizes that he first needs to understand technology and may learn the same thing as student one but to become really competent, he may also spend additional time learning software development. Now that he has multiple competencies, he realizes that it is not good enough just to know how something works, but also needs to figure out in dynamic situations how things may break, he spends even more time. He attempts to help others write high-quality valuable working software but is met with resistance at every turn.
Ask yourself, in a modern enterprise which role has the most likely chance of becoming CIO? Ask yourself as a consumer, which one would you want to be in charge? Ask yourself why you think the two answers are different and more importantly should they be? Do you believe that the folks in these roles should all be compensated the same? I bet you will start to conclude on your own that there are multiple undiscussed deficiencies in the way human resources work in large enterprises...
