Sometimes I catch myself defending "less secure" solutions for specific situations. It feels a little strange, but it usually happens when someone with "canned" knowledge about security tries do discuss the risks for some kind of technology, usually trying to use it as an excuse to avoid needing to work to make that thing happen. These situations would be fun if they wouldn't cause to others watching the discussion an impression that the security guy (me) doesn't know as much as the other guy about the issues he raised.

Today I saw this on the SecurityBuddha.com:

Stop Disabling and Start Enabling

If information security is to ever have an ounce of credibility in a corporate world it has to stop disabling and start enabling. The days of hiding behind thick piles of self-scribed doctrine and exercising personal dogma laced with stupid egotistical power trips based on technology religion must end. If you talk to most (yes most) folks outside of information security in an environment where this culture is allowed to exist they will usually raise an eyebrow, get their heckles up or even laugh in your face. The locker-room conversation discuss the “thought police” and ways to not tell or involve security about what’s really happening: and quite frankly I don’t blame them. Why?

Because sadly some so called security folks are nothing short of dinosaurs and I suspect exhibit many of the traits above. This article in CSOOnline prove it.

Kill instant messaging. Stop it at the desktop via security and group policies. Stop it at the gateway. Stop it at the firewall. Death to IM. My opinion: This is the best way to go if you can get away with it. If you’re running e-mail and a working phone system in a general office environment, IM is a geek-toy luxury. Simple as that.

Can you blame people? I often read things and laugh, sometimes I read them and get angry and occasionally I read things and don’t know what to say apart from “what “wibbly wobbly” planet do you live on?”

Maybe you would like to kill all cell phones as well? Lets face it they are really annoying. All those people talking and doing business while you try and read your newspaper with your drip coffee and Krispy Kreme.

Maybe that new fangled Internet thing should be shut off period? After all what’s wrong with paper and carrier pigeons?

I hope the author doesn’t work for a publicly traded company. If he does I am calling Kramer for a sell recommendation and I am serious.

As Dilbert once said ” I am not anti-business, I am anti-idiot”.

Yes, he is quite right about it! Another funny thing about blocking IM is that the request usually comes from managers that don't want their team spending time chatting. So they try to make Security block it, avoiding the direct conflict with the team. When I say that I'll do it only if the reasons are clearly stated to the users, they usually give up.

Mark Curphey raises a very important issue on the post above. When you start to be a problem and overreact on some threats people will start to avoid putting Security together in their projects, as they expect the same behavior (disabling). Try to show to the company that your role is not disabling things. Even when writing reports or providing feedback, try to replace the "can't be used" with a "can be used with security improvements". I know that sometimes even that is impossible, but don't discard it until you really sees that there is no other option.