Monday, June 01, 2009
As an employee of a very large enterprise, sometimes question my own thinking when it comes to security spending. It is important to acknowledge several truths that aren't well documented nor discussed openly. Let's start with the first principle.
Principle One: Auditors sometimes have more of a say in enterprise spending than the enterprise itself
OK, can anyone explain why enterprises are spending millions of dollars by focusing on identity management specifically provisioning where it takes at least three years to become reasonably useful? If auditors as part of desiring automated ways to measure controls were not pushing for IdM, would anyone be pursuing in 2009?
Principle Two: An asset is not valued on what you spend to acquire it
Gunnar believes that the security spend should track in alignment with the money invested. While this is philosophically true, reality states that enterprises spend way too much on certain technologies which can skew the results. For example, if I spend $50 million for a strategic architecture platform created by your favorite insulantcy that flies in kindergartner's from all over the planet to deliver chock-a-block eye candy Powerpoint only to deliver a 10,000 line Hello World application doesn't mean that I should spend a lot to protect it.
Likewise, if I have a major enterprise application that is mission-critical and brings in billions of dollars in revenue but I am stupid enough to outsource it to monkeys in India, Philippines or other second class, third-world country for a nickel an hour, doesn't mean that I should spend less to protect it.
It does however mean that I need to understand the value of the applications that IT is the steward of and protect appropriately which may include figuring out better ways of bringing this type of system quality out in the public for our business partners to see.
Principle Three: Security follows the keep it simple stupid (KISS) philosophy
Which is simplier showing an auditor that I comply to a complex password policy scheme by pulling up the domain policy on my Active Directory domain or demonstrating that none of my applications have CSRF exposure? When you keep things simple, you can allow more people to participate. I could take recent college graduates with absolutely zero IT experience or my seven year old son for that matter and teach them how to audit IT ecosystems if there are dialogs that present information.
Real security requires knowledge of software development which fewer folks in the US have. Likewise, budgeting within an enterprise context is a team sport where lots of folks get to add in their two cents. It is simply easier if you go after simple things even if it doesn't address the root cause of any issue, past, present or future than it is to get folks to understand the root cause of something more important.
The ability for people of any ability to participate even in conversations they don't understand cannot be underestimated. Consider the simple fact that in order to be a PCI auditor, you don't even have to know how to code. You will probably find that you can put up a buffer overflow in Powerpoint in front of most PCI auditors and they wouldn't even recognize it.
Principle Four: Everything is important, but what is more important?
Gartner can provide magic quadrants for closed source proprietary products all day. If you want to understand what is the hottest ECM platform, they could tell you what is best between Alfresco, Interwoven, Documentum and so on. They of course have no clue as to which platform is more secure.
If you need a log management platform, you could get guidance from Forrester and they will guide you on choices from logarythm, splunk and loglogic. Likewise, Burton Group can guide you on what is the best offering on federated identity ranging from Oracle OIM, PingIdentity, OpenSSO and so on.
Bet you can't find a single analyst firm that would be willing to guide you on which is more important, log management or federated identity? You will get posturing, lots of hand waving and ultimately little useful guidance. Enterprises are constrained by budgets and sometimes only get to pick one category and how this is resolved has as much integrity as flipping a coin.
Principle Five: You are only allowed to be proactive once per year
We all collectively acknowledge that security isn't keeping up with business innovation and therefore when given money to spend, it is usually to fix something that is known busted. So forget proactiveness when reactionary decision making rules the day. Some of this is due to visibility and initiatives such as OWASP can help but much of this is more inline with how humans behave.
Ask yourself this question. If you were Chief Security Architect and wanted to address some gaping vulnerabilities within your ecosystem and new that an exploit were imminent, would it be easier to proactively sell or to sit back and watch it happen and then ask for funding, which would be easier in terms of time, work/life balance and your soul...
Links to this post: