We’re in the second half of the year, which means a long array of tradeshows is now behind us. On the heels of the most recent events I’ve attended, Gartner Security and Risk Management Summit, and IANS Dallas – both excellent shows attended by an impressive array of information security brass – I realized that there is still one fundamental issue; an InfoSec elephant in the room which often clouds the judgment of many very intelligent people. It came up during several conversations throughout the year, but not until discussing it on Twitter was I forced to distill The Problem into its simplest form:
— Tal Klein (@VirtualTal) July 1, 2013
The dominant thinking in information security is still rooted in the notion that policy can somehow trump reality.
My proposed approach to solving The Problem:
To measure the biz value of your infosec architecture, you must equally weigh its tech capabilities with its impact on user productivity.
— Tal Klein (@VirtualTal) July 3, 2013
To measure the business value of an information security architecture, we should equally weigh its technical capabilities with its impact on user productivity.
That is to say, you can tell an employee “this is your box, you must work inside of it” but if they can’t do everything they want to do inside of that box, or if that box is not ergonomic or responsive enough to the user’s needs, you can count on them exiting the box outside of your purview, at which point regardless of how secure the box is, it will have lost its business value.
By the way, I wrote “want” instead of “need” when I referred to user behavior here on purpose, if we are to accept The Problem as fact, then policy must be bounded by reality, rather than the other way around. That’s why we, at Bromium, have built an architecture that assumes users need to do what they want to do, because we believe feeling productive is being productive, and security should be an inherent and painless component of a productive environment.