BlackHat USA: Let Employees Say Where Security Policies Should Go

Most executives' approach to security is all wrong.

Kicking off the BlackHat USA 2009 conference in Las Vegas Wednesday morning, Douglas Merrill, former chief operating officer of New Music for EMI Records, emphasized to scores of security officers, IT administrators and amateur and professional hackers that security is often based on inaccurate and arbitrary ROI statistics, inhibits innovation and prevents employees from doing their jobs.

Consequently, organizations should let users determine the direction of their own security policies, he said.

The reasons for outdated and inefficient security models stem from lack of communication and fear, Merrill said.

"We're smart, we're motivated, we're super-focused on research and development. We're getting it wrong because we don't speak the language of the users," Merill said.

"Everyone listens to security officers. Executives are, in fact, terrified of us. So they write us more checks," he added. "The thing is, they don't know why they're writing checks. When asked, 'What is a security risk?' they either don't know or they cite something stupid."

All too often, ROI calculations don't accurately depict a company's actual returns. "Lost productivity and reputational damage -- what is that?" Merrill asked. "[Chief Security Officers] decided we needed to learn to speak executive. Everybody else calculates return on investment. We should too."

That fixation on ROI is reinforced by the perception, however unfounded, that executives are going to become a victim of a security breach -- something Merrill called the "availability heuristic," the perception that the likelihood of an event is radically overestimated because of personal experience.

"When we can't scare CEOs into writing us checks or listening to our ROI presentations, then we pull out the big guns," he said. "But boss, there will be a security breach, and it's going to be bad. Trust me."

That's when the prohibitive defenses go up, Merrill said. Consequently, companies implement rigid security policies and install prohibitive security solutions and restrictive proxies that build a defensive boundary around the network perimeter. Those security policies and solutions ultimately end up being counterintuitive to their aims of enabling productivity.

Most security breaches -- 60 percent -- occur due to stolen laptops. Meanwhile, 11 percent of breaches occur because hackers obtain client files that have been curbed without shredding, Merrill said.

However, reactionary implementation of restrictive network boundaries reflect a work-life model that is grossly outdated, Merrill said. "When you're at work you're at work, when you're at home you're at home. It turns out employees don't want that," Merrill said. "[Executives are] doing this because our intentions are wrong, our psychology works against us and we have lots of exemplars that tells us that we should do something different."

Most of the time, employees aren't "evil-doers" but simply want to do their job, even if they have to innovate around prohibitive security policies. Merrill said that once, to get around his company's remote access solution, he posted his schedule to his Google calendar.

The answer? Merrill said it comes down to letting employees determine where their security policy is headed. It's like building a lawn on a college campus -- where the grass is trampled, that's where you build your paths, Merrill said.

"Let your users tell you what they want, you let your users tell you what the controls of their behavior should be. We have to do the same thing in security," he said. "Humans are like rats, if you make it easy for them to find their way out of the maze, they will."

Tweet

   

More Security