I want what they’re having

jumpWhen consulting on a security issue, one of the questions that makes me grind my teeth more than any other is some variation of, “What’re our competitors doing?” My initial reaction is always, “Who cares?” Its really just a useless way to think about security and risk.

In my experience, no one asks this question because they are looking for a way to spend more on security, layer in additional controls to reduce fraud, or simply to reduce risk. No, this question is almost always asked as an offensive against perceived unreasonableness by information security. Its a political tool or a negotiating tactic to cause you to back down. Which should be enough of a reason to dismiss it outright, but there is more nuance to this that causes it to be distasteful.

Your IT risk  decision-making is not a commodity market. Sure there are security commodities, however the decision making cannot be outsourced to other organizations. Think about it, what if you dutifully came back with an answer to this question indicating that not only are our competitors doing not just what  you are recommending but significantly more. Their budget for this is 5 times what you were planning to spend.

Would they then immediately write a check for that difference? Offer an apology to you and then shuffle out the door defeated? No, of course not. Nor should they. The risk tolerance, assets, lines of credit, cash flow, customers, budget, product mix, public profile, threat agent action, loss scenario probabilities are not yours. Simply put your competitor’s risk tolerance and appetite is not yours. As a result, you need to make the best decisions you can with the best (quantitative) data that you have at your disposal. Of course you should seek inspiration from various sources, if you can get it. I love the notion that security folks are a chatty sort that dish endlessly about the goings on in their companies. Security professionals should be fired for such action — you don’t want chatty security people working for you. Information sharing regimes, processes, and protocols exist, but data sharing at that level tends to be categorical which isn’t often useful enough to answer the question being posed. There is one exception to my rant however and that is legal. They probably are the ones who would advocate that budgets and controls be increased to reflect the posture of other organizations. Except legal won’t fund anything, so you have to go to the business anyways.

Negligence and Compliance

drudgeryCompliance is out of control. Its pervasive in our society now and there is no going back. Allow me to explain.

My kid attends pre-school. They go outside daily to play, so we were asked to provide some sunblock. Makes sense, our family is pale so we are used to that routine. We brought it in, signed a legal release (sigh), and we were good to go.

Or so we thought.

We receive an email later in the day saying that they cannot use an aerosol can and we need to provide sunblock that is a cream. Now this wasn’t communicated to us previously so that’s disappointing  but the real issue is the promulgation of the phrase, “It’s our policy…” The use of this term is quickly becoming a death of a thousand cuts.

How far is this to be taken? Would they have compelled my kid to go outside in the sun to burn, while the unopened sunblock sat idly by, not protecting them from an inappropriate amount of UVA/UVB? Would they have sat self-satisfied that policy boxes were checked while children roasted in the midday sun?

“It’s our policy that we don’t use aerosol cans to apply sunblock. It might get in their eyes.”

Well its not pepper spray; its not meant to be sprayed in the eyes. Everyone knows the trick about spraying it into your hand and then apply it to your face. I’m about ready to build my own set of personal policies (“That’s unfortunate, but its my policy that children not burn in the sun when sunblock is within arm’s reach”), effectively pitting policy against policy in a byzantine Mexican standoff of bureaucracy and drudgery.

Since I see the world through a risk lens, I see this as a failure in risk management. Which would have exposed this organization to greater risk? The remote possibility of face spraying, or the near certitude that skin will burn? In this case, the robotic adherence to policy actually INCREASED risk in the organization by promoting what is effectively negligence.

Thankfully, the outside activity that day took the kids through a shady grove, so no sunburn ensued, but this is a great example of where compliance regimes exceed risk tolerance and that actually increases risk.