Earlier this month Lucas Glover won the 2009 US Open Golf Championship. Although a remarkable victory, my attention was fixed on Tiger Woods. As the Beth Page rains piqued his swing I couldn't help but recall his thrilling victory at Torrey Pines (location of the 2008 US Open). The images of him in physical pain, struggling, and playing the entire 5 rounds on less than two knees, battling Rocco Mediate for the championship was the stuff of legends. Shortly after that mesmerizing performance, however, Tiger Woods announced his plans to undergo knee surgery, and the end to his 2008 season.
What (you may ask) does this have to do with digital security? Quite simply this, digital security is akin to reconstructive knee surgery. The importance and effects of knee surgery to Tiger's career is not dissimilar to the challenges faced by a frequently overstressed and overworked IT director who is expected to efficiently, effectively and economically deliver a secure system.
In golf, the front knee is the pivotal body part responsible for balance and weight-shift during the swing. The slightest glitch (consider a torn ACL) can upset the very delicate balance between rhythm, swing speed, swing path, club length, grip tightness, weight distribution and torso twist. Without a strong knee a golfer is hopeless; without a Blackberry-, Exchange- or web-server most organizations would be similarly "knee-less".
For a serious golfer, let alone Tiger Woods, the excruciating physical pain caused by playing on a torn ACL is surpassed only by the mental frustration experienced during an extended rehabilitation period. Not only does the golfer have to contemplate the potential unsuccessful results of the reconstructive knee surgery during the rehabilitation period, but they also have to fight the nagging doubts that attempt to erode their confidence on a daily basis.
Here is where the analogy to digital security takes hold. Many IT directors and C-level decision makers have had poor experiences with security products and services. Previous "quick-fixes" and reactive implementation of security protocols have left them disenchanted with the effectiveness of security solutions. There's a pervading sense that product-specific promises were woefully overstated and largely unfulfilled. Regardless, the ever-present and nagging pinch in their organization's proverbial front knee reminds them serious and damaging problems loom on the horizon. I have witnessed IT departments inhale a collective breath of anxiety and uncertainty as security remediation topics rear their head, acknowledging that a great deal of frustration exists in this area. This frustration, I believe, centers on the awareness that a divide exists between the effort and resources needed to properly implement a security program and the culture change required to sustain it.
Directors are beginning to understand that bridging this divide requires a change in the methodologies that address information handling and classification and their valuation of digital assets. They are also beginning to understand that the policies and procedures to secure these assets can quickly leap beyond the manageable. Where then does one draw the line? Where should a security program and policy start and end? How far should one go when considering legal, regulatory and contractual obligations? What about liability? What about confidence in one's information system's operational longevity? What about peace of mind? The answer is simple. Consider, again, Tiger Wood's reconstructive knee surgery.
To perform his surgery Tiger did NOT do several things. Firstly, he did not approach his general practitioner for advice on his knee surgery. Secondly, he did not provide his GP with a DIY book or medical journal articles on how to perform reconstructive ACL knee surgery and expect him to perform this surgery. Thirdly, he did not pay to educate a surgeon to become proficient in knee surgery and to then perform his knee surgery. Instead Tiger went to the best ACL reconstruction knee surgeon he could find. He went to a specialist to restore the functionality of the most important part of his operating machine. Further, he was willing to take the time to heal it properly, to go through the rehabilitation process in a disciplined and thorough manner thereby ensuring longevity and future success.
Security is no different! In essence, it is reconstructive knee surgery. Understanding vulnerabilities and implementing effective security measures requires skill and expert knowledge, not a review of off-the-shelf books with flow-by-flow diagrams. Digital security is knee surgery!!
The industry is riddled with products, including hardware and software and services, all claiming to make any trained (or "certified") user a security technician. However, these require time and money to implement correctly and to manage efficiently, and expert knowledge to use proactively. Some succumb to the temptation that purchasing gadgets and certifications will make them more secure, thus validating their assumption that money spent is a dependable metric of digital security. Frequently, these are later discarded for a loss of both money and time.
I have seen the temptation of a "security quick-fix" or the desire to "go it alone" commandeer the decision making process. Inevitably, these (like Tiger's arthroscopic surgeries) are incapable of quelling the pain. Instead, when organizations take an "ACL knee surgery" approach by relying on expert advice and services, and implement recommendations in a disciplined and thorough manner, they experience greater and longer lasting success.
Frequently additional benefits are also realized. The rehabilitation period is usually shorter than anticipated, leading to increased productivity and confidence in IT operations. Also, subsequent policy and procedure changes are less time consuming and resource dependent, adding value to the organization. Lastly, IT infrastructure changes are usually more efficiently planned and more securely executed as a result of this disciplined approach. If past is prologue, companies who are committed to digital security will be surprised by how quickly and successfully they find their swing, even in this rapidly changing digital world and regardless of the ever-present storms of risk that pour drenching rain all around.
No comments:
Post a Comment