Thursday, March 1, 2012

You don't have to always be the bad guy

So, Zenprise is saying that most of their clients are buying Mobile Device Management (MDM) tools to block stuff such as Angry Birds and Facebook, due to productivity issues, instead of doing real security work.

If you ever had to manage Web content filtering tools you know how it works. Some manager gets mad because he sees an employee browsing his Facebook or Twitter timeline at work and decide that Security has to block those productivity killing nightmares. Security is always blocking stuff, right? Why wouldn’t they block that too?

Because Security is always having a bad time trying to not look like Mordac. Yes, sometimes we have to block stuff due to security risks, but that doesn’t mean we should also be responsible for blocking stuff for other reasons. In order to inject itself in the early phases of business and IT initiatives we are constantly trying to change our image from the guys who are always preventing anything from happening to business enablers. How can we do it if we keep wearing all those control freak hats?

Security has to either say no to who is asking to block stuff not related to security threats or demand that those actions are clearly defined as policies from other groups, such as HR. Even if the tools used for those controls are the same being used for security reasons and operated by the Security team, the reasons for blocking stuff unrelated to security should be clearly stated and the processes to request exceptions or changes to the policy should be detached from those used for security stuff. Even the risk assessment of those requests is different, so why would we do it the same way (and by the same people)?

Maybe those draconian policies are being used to justify money spent on all those shiny tools, some classical security theater. If users are seeing that huge STOP! sign every time they try to access a website they will certainly think the network is really secure, right? J

No comments:

Post a Comment