Skip to main content

Security: A Model Less Simple

When passing through a full body scan, a pat-down search and a baggage x-ray on your way to buying a coffee in your local mall, you know you live in the era of Security.

It seems to me, however, that enterprise security operates under the sole premise that mal-intention can be prevented. Password policies, network restrictions, biometric sensors, intrusion detection, firewalls, access tokens, truckloads of technology all geared to one single goal - keep the bad guys out. Driven by fear of doomsday scenarios fed into you at numerous conferences, we treat every potential breach as a nuclear explosion and try to prevent it. I doubt anyone other than Jet Li can bring a jet down with a pocket knife (and by definition he's a rare talent), yet we – at great cost and inconvenience - make sure every pocket on a plane is empty of a knife. Even China does not have that many Jet Li's so for that kind of success ratio this is kinda expensive.

Ignored here is the strategy of deterrence - make them afraid of its consequences. This strategy can be seen everywhere the real world, but its oddly absent in the virtual world of information security. People don't steal just because a door is open; more often its because they don't want to go to jail. They know that jail is a possibility because newspapers and politicians and others give ample coverage to crime and its consequences. In societies where punishment is unlikely (such as war-torn Afghanistan) people rarely worry about consequences and crime is undeterred. Companies should similarly publicize penalties and visibly take severe action in case of breaches. An ounce of deterrent is often worth many kilos of prevention, but I've yet to see a company security policy (usually running to hundreds of pages) specify punitive actions. CISOs should get the authority to swing a big stick, and make sure that it's visibly swung when the need arises.

Its simple. Publicise the punishments (make sure they're substantial). One fine sunny day, pick a few violators and make prominent, public examples of them. Repeat every quarter, or as frequently as needed. Even the good old Chanakya recommends it - "saam, dhaam, dand, bhed" - where "dand" is the thing to note here

Prevention, of course, can hardly be neglected. Locked doors and access controls are important, but in the absence of a deterrent this leads to rapidly diminishing utility. Think of a country with no effective police; the bill for private security and electric fences will start climbing rather quickly. This is fine if you live in Wasseypur, but in other cases a few ounces of deterrence is worth more than a few kilos of prevention.

Labels:

Comments

Post a Comment

Popular posts from this blog

Outsourcing I–The "Why" Question

A little while ago, I was asked to give a presentation to CEOs on outsourcing. The audience wanted to know about adopting outsourcing for their companies; making use of its promise while avoiding its pitfalls. It seemed to me (unimaginatively, I must admit) that the whole thing boiled down to four fundamental questions - the why , the what , the who and the how . I decided to expand the presentation into a series of blog posts, one per question. The Why Question Why outsource? Given that a trillion-dollar industry has crowded a lot of people into Bangalore and made more than one driver rich, it seems a little late to ask this question. However, this isn't really about outsourcing being good or bad per se. Bloggers like us love to wallow in theoretical questions; companies usually want answers to more prosaic stuff. The question really is, why should a company be looking for an outsource partner ?   I've divided the universe into two simple flavours – Tactical and Str...
2 comments
Read more

Rethinking Disaster Recovery

Disaster Recovery has been on the minds of companies ever since the early days of commercially available computing. Today's world of DR revolves around four acronyms - BIA (business impact analysis), RPO (recovery point objective), RTO (recovery time objective) and BCP (business continuity plan). The acronyms appear in a disaster recovery plan in roughly in that order, the thinking being that you first analyse the impact to business of systems being down, then figure out how far back in the past are you willing to turn the dial back to recover from (last day, last hour, last millisecond). Next focus on how long you can afford to be down. Finally - buy a boatload of hardware, software and services to convert all this into action. Setting up a DR is a hugely expensive affair that takes a significant amount planning and effort, not to mention all those drills and tests every now and then. CTOs have followed this prescription since the late seventies (apparently the first hot site wa...
2 comments
Read more

The Song of Socialism II: Penetration

Social is the new buzzword, and what a loud buzz that is nowadays. In the last post I described my theory of levels of social media - Presence , Participation , Penetration and Platform . Presence was passive, Participation was active entry into the world of social media. Penetration and Platform are quite a bit more complex. This part two of the series gets into the next P – Penetration . I’ll need another post for Platform . To understand where I’m going with this, lets see what a social network really is. The web started off as a way to connect content together. Any piece of content could easily and simply refer to another piece of content, even if it was on a different server in a different country. A browser allowed people to move from content item to content item, thus making the universe of the world wide web a wonderful store of content. People soon realized that this could be extended to all kinds of transactions – one could pass not just content but messages and info...
Post a Comment
Read more