Whack-A-Mole

by Brian Katz on December 20, 2012 · 8 comments

I had a great discussion with a group of fellow tweeters yesterday which will be used as the lead in to this week’s #mobilebiz tweet chat (Open to anyone, usually on Thursdays at 1 PM EST…just follow the hashtag). We started off with a tweet about how all people really want is Windows on their iOS device and quickly moved down the rat hole of VDI and from there to Risk, Security and Users and all about Mobile. There were two basic sides to the argument, at least as I understood it summarized very simplistically by one side saying a good risk management program means everything is covered as far as the business is concerned and the other side pushing back by saying a risk management program can’t cover everything, especially as users have become savvier with the advent of CoIT (the Consumerization of IT).

Now that, as I said is a rather simplistic way to look at it so let’s dive a little deeper. If we look at it from the CISO side of the house, the argument goes that they report to the business and not to IT. Their job is to look at the business processes and identify the risks and the controls needed to manage and mitigate those risks when necessary. Many of them will say that their word is law as there can be legal ramifications as well as financial ones if the controls they define are broken or avoided. Their job is not to look at the IT side of the house from the perspective of IT but whether they can insure the controls needed to keep data safe and secure. Users are not really their concern as they look at the controls that are in place as taking care of the users as well, whether that means locking them down ro some other means.

The other side of this equation is usually expressed by IT. They look at what the business has proposed and wants to implement. They look for ways that technology can help them implement the required pieces so that the business needs can be met. In a well-run business, the CISO would have already defined the controls as part of the business units needs and they would be much easier to be met by IT as they know about them up front. Alas, we do not live in a perfect world and all to often security (whether it exists under the CISO, or under IT, and many times it is both) are the last ones to be involved in these business projects. They are bought in at the end and everyone is scrambling to do it all and get it right.

The piece that everyone seems to leave out is the user. We roll out these perfect projects but then we find out the end-user will do things with it that were unexpected. No one ever expected them to do a print screen so they could look at something offline or that they would cut and paste a record into email. These things, quite honestly, are easy to find out about and fix. You pay attention to how they use the app and if you’re smart you set up trials and pilots so you know what works and what doesn’t. The issue comes up when you aren’t dealing with an app or a business project. The line between work and personal life has blurred and with the on set of smart devices everywhere, people are used to being connected whenever and wherever they are.

Yet many companies have controls in place that don’t take into account these savvy users. It’s less of a part of CoIT and more of the ITization of the user. They walk into a company that still blocks Facebook and Twitter, won’t let them see their latest Instagram photos or Pinterest boards. They can’t use their lunch hour to hit Amazon to order the Christmas gifts for their kids. These people pull out there personal devices and start using them for that. Then they realize that instead of BYOD (Bring your own device) they can also BYOI (Bring your own Internet). Their iPhone or Android device comes with a built-in MiFi (wireless hotspot) that they then hook up to their laptop, as they want the big screen experience. They may not even unplug themselves from the main network. Even better, they figure out that they can just tunnel out through the Proxy server/Firewall on their laptop and go to Amazon or their Gmail at any time. They aren’t aware that they may be putting information at risk. Even better, once they figure out how to do it, they tell all their co-workers how as well.

The CISO will claim that they have controls and of course the company is monitoring and will be able to shut each one of these unintentional risks down very quickly. The IT group will be the ones tasked with it, whether they have the people or money resources to do it, and the users just look at as a giant game of Whack-A-Mole. They’ll keep popping out of their hole with new ways to do things and they know that they won’t get caught every time.

So how do you avoid playing Whack-A-Mole in the first place? You start by asking to your users questions and listening to their needs. You figure out what they want to do and find if there is a way you can set them up to do it safely without compromising your data and you business. You figure out the best way manage and mitigate the risks that they are presenting while still enabling them to do work, be productive, and stay happy. You turn it from a game of Whack-A-Mole, us versus them, to a team game where everyone is successful.

Tagged as: Enterprise Strategy, Security, strategy

  • CloudOfCaroline

    Firefighting takes up more IT/ITSEC time that would have been better spent with CoIT in the first place. Whack-a-mole is high maintenance, especially with Thor-like users! Nice piece :-)

  • http://twitter.com/Wh1t3Rabbit Rafal Los

    Brian, nice and relevant as always… we keep spinning back to the ‘customers will do what they do, we need to figure out how to get their use-cases first’ …which is nice but I’ve never met someone who didn’t define requirements then 15 minutes into an implementation say “Oh shoot, it would be really cool if …” and then they turn and either look at the IT guy or in these personal device cases turn to Google or a friend to figure out if they can do it.
    I don’t know that there is a better answer than whack-a-mole here, on some level. I’ve watched organizations take one of two paths – either they play the lock-down card and it’s just all over… OR … they go the other way and are stuck playing whack-a-mole on some level for ever. Maybe option 2 is the only sane way to go to minimize risk while keeping the customers productive and happy?
    I guess there isn’t a secret formula that works everywhere…is what I’m saying. Even with the best processes the end-customer will always find something they can do that you didn’t account for no matter how much time they spend with you beforehand…that’s just the nature of humans.

  • http://www.facebook.com/sverdlik Boris Sverdlik

    Very well stated. I agree completely with the article as a whole with one exception. All three should be aligned and that is the only way to do it properly. Security almost always works directly with the business and set forth business requirements that will ensure operating risk is within a tolerable threshold. The animosity between IT and security usually comes in to play when corners are cut in control implementations.

    Users will always figure out workarounds for personal use and that is where strong policy enforcement must come in to play. We are all responsible in enabling the users to do their jobs efficiently and securely so that the business is successful but usability outside of that is in nobodies charter

    • http://twitter.com/bmkatz Brian Katz

      I see partner ship as another word for alignment and I am not sure I
      agree or disagree about who security works for…okay in either case.

      I think you miss the one point that in order to have more productive
      employees, enabling personal use can be a very good thing. It’s not a
      question of being in someone’s charter but if a happy employee is a more
      productive employee it sort of is in the businesses charter.

  • http://www.facebook.com/david.farrell.9619934 David Farrell

    You people have all lost sight of humanity. All you BANG ON about is technology, as though life consists of IT/Tech.

    If this is interesting reading? I’m giving up reading.

  • http://www.techdisruptive.com Mike Bestvina

    Fundamentally there will always be a battle between IT (security) and the end user (accessibility). Steve Yegge has an awesome rant about this: https://plus.google.com/112678702228711889851/posts/eVeouesvaVX

  • abd

    dffs fzvsfagasgasgsafg

  • abddul quadir

    sxfgdsgs

Previous post:

Next post: