There are two ways to implement security:
- Real security, based on empirical evidence and analysis.
- Checklist security, based on the latest checklist somebody says is important.
When security is based on real evidence and analysis, policies are enacted based on real gain and measured against the business impact. Risks are considered, and the costs versus benefits are well understood so that policy choices are based on real, useful information.
On the other hand there’s security by checklist. Costs aren’t calculated, risks aren’t understood, business impacts are ignored. All that matters is that somebody gets to check a box on a form; there’s no understanding, no logic, and likely no real benefits involved.
The point of security policies isn’t to show off how many hoops you’ve built that people have to jump through when doing their jobs. Yet, when a company accepts a security by checklist mentality, this is exactly what they are doing. They spend their time building hoops that they can show off later while ignoring the threats they are supposed to be addressing.
Recently, my laptop died, the new laptop was setup with DLP, or digital loss prevention software. The main purpose of the software is to prevent me and anyone in my group from being able to use removable drives – so that we can’t load them up with private information of course.
This was done to check a box on a form, at no point did anyone actually think about the bigger picture, what the threat was, and how it should be addressed:
- I have a laptop and work remotely.
- When I disconnect from the VPN, I have unrestricted access to the internet.
- I routinely work with sensitive data, so it’s not uncommon for it to be on my computer.
- I could easily encrypt a file full of private data, and upload it to the cloud after disconnecting from the VPN, and nobody would know.
So, by blocking the use of removable drives, they made it much harder for me to recover from a failing laptop, and added nothing to security. Blocking thumb drives won’t stop a person from stealing data when they have other ways they could do the same thing. All it did was waste time and the company’s money.
They built a new hoop to show off, nothing more.
Such policies don’t help anyone – they don’t improve security, they certainly don’t prevent theft of data, and at the same time, they do have a negative business impact. Lost productivity, increased frustration, and in the end higher turn-over from employees that are fed up from the meaningless work. There’s no winner here – except the person that wants to show off all of the hoops they have.
Security based on anything other than empirical evidence and legitimate analysis is just theater and nothing more.