Skip to main content

Security: A Model Less Simple

When passing through a full body scan, a pat-down search and a baggage x-ray on your way to buying a coffee in your local mall, you know you live in the era of Security.

It seems to me, however, that enterprise security operates under the sole premise that mal-intention can be prevented. Password policies, network restrictions, biometric sensors, intrusion detection, firewalls, access tokens, truckloads of technology all geared to one single goal - keep the bad guys out. Driven by fear of doomsday scenarios fed into you at numerous conferences, we treat every potential breach as a nuclear explosion and try to prevent it. I doubt anyone other than Jet Li can bring a jet down with a pocket knife (and by definition he's a rare talent), yet we – at great cost and inconvenience - make sure every pocket on a plane is empty of a knife. Even China does not have that many Jet Li's so for that kind of success ratio this is kinda expensive.

Ignored here is the strategy of deterrence - make them afraid of its consequences. This strategy can be seen everywhere the real world, but its oddly absent in the virtual world of information security. People don't steal just because a door is open; more often its because they don't want to go to jail. They know that jail is a possibility because newspapers and politicians and others give ample coverage to crime and its consequences. In societies where punishment is unlikely (such as war-torn Afghanistan) people rarely worry about consequences and crime is undeterred. Companies should similarly publicize penalties and visibly take severe action in case of breaches. An ounce of deterrent is often worth many kilos of prevention, but I've yet to see a company security policy (usually running to hundreds of pages) specify punitive actions. CISOs should get the authority to swing a big stick, and make sure that it's visibly swung when the need arises.

Its simple. Publicise the punishments (make sure they're substantial). One fine sunny day, pick a few violators and make prominent, public examples of them. Repeat every quarter, or as frequently as needed. Even the good old Chanakya recommends it - "saam, dhaam, dand, bhed" - where "dand" is the thing to note here

Prevention, of course, can hardly be neglected. Locked doors and access controls are important, but in the absence of a deterrent this leads to rapidly diminishing utility. Think of a country with no effective police; the bill for private security and electric fences will start climbing rather quickly. This is fine if you live in Wasseypur, but in other cases a few ounces of deterrence is worth more than a few kilos of prevention.

Comments

Popular posts from this blog

Rethinking Disaster Recovery

Disaster Recovery has been on the minds of companies ever since the early days of commercially available computing. Today's world of DR revolves around four acronyms - BIA (business impact analysis), RPO (recovery point objective), RTO (recovery time objective) and BCP (business continuity plan). The acronyms appear in a disaster recovery plan in roughly in that order, the thinking being that you first analyse the impact to business of systems being down, then figure out how far back in the past are you willing to turn the dial back to recover from (last day, last hour, last millisecond). Next focus on how long you can afford to be down. Finally - buy a boatload of hardware, software and services to convert all this into action. Setting up a DR is a hugely expensive affair that takes a significant amount planning and effort, not to mention all those drills and tests every now and then. CTOs have followed this prescription since the late seventies (apparently the first hot site wa...

Being Brave

I recently read Annie Zaidi's book about dacoits, dead children and the fear of being groped, and it set me thinking about how easy it is to be brave when nothing is threatening you. I know I present it as an earthshaking revelation that the universe needed me and only me to discover, but it is the start of a blog and I can be forgiven for a small amount of self-importance. After all, blogs are essentially exercises in the unshaken belief that people want to read what you write. Back to the bravery bits. My daily commute to office, strewn with garbage, potholes, oddly designed roads and casual, insouciant encroachment reminds me repeatedly that in India a lot of things need work, but I also realize I live in a world that is not threatened in any way. A complex web of interactions that we never think about keep our lives free of many fears and constraints, things that I and the people around me take for granted. The freedom to speak, the freedom from arbitrary search and seizure,...

The Song of Socialism II: Penetration

Social is the new buzzword, and what a loud buzz that is nowadays. In the last post I described my theory of levels of social media - Presence , Participation , Penetration and Platform . Presence was passive, Participation was active entry into the world of social media. Penetration and Platform are quite a bit more complex. This part two of the series gets into the next P – Penetration . I’ll need another post for Platform . To understand where I’m going with this, lets see what a social network really is. The web started off as a way to connect content together. Any piece of content could easily and simply refer to another piece of content, even if it was on a different server in a different country. A browser allowed people to move from content item to content item, thus making the universe of the world wide web a wonderful store of content. People soon realized that this could be extended to all kinds of transactions – one could pass not just content but messages and info...