Friday, February 26

IT Security Best Practices and Why Users Could Care Less

In the November issue of  Communications of the ACM, Butler Lampson, a Technical Fellow at Microsoft Research, offers an incisive analysis of the sad state of affairs in Security Management.  I'm not a security practitioner, but I've been around long enough to have witnessed many an IT department be brought to its knees for hours and days while battling a security breach.  Lampson's simple argument is that security experts have set perfection as the goal, and both vendors and customers have bought into this assumption.  He reasons that perfection is missing the point because security management is essentially "risk management:  balancing the loss from breaches against the costs of security.  Unfortunately, both are difficult to measure."

That the costs are difficult to measure is generally obvious to anyone in IT, which typically doesn't even take the time to quantify the impact of component or application outages per hour [Numerous blog postings to follow!].  From the users' perspective, access and authentication interfaces become mere hindrances to doing productive work, so their universal response is to just say yes to any security question--no understanding or sense of ownership required.  Lampson sums up the ramifications of this linkage between economic uncertainty and user indifference with an implicit rebuke of security vendors:

The root cause of the problem is economics: we don’t
know the costs either of getting security
or of not having it, so users quite
rationally don’t care much about it.
Therefore, vendors have no incentive
to make security usable.


I hope this encourages you to download the whole article for yourself.  I will be watching how Security managers and vendors solve these self-limiting practices in the future.

Thursday, February 25

Notes on Bill Powell's March 2009 Presentation -- Impact of Economic Uncertainty on Service Management Plans

In March 2009, Bill Powell of IBM presented a super draft presentation to the NY LIG (Local Interest Group) of ITSMF USA that couldn't have been more interesting.  I wrote up my notes on his talk here, but I encourage you to download the podcast and his slides from the final presentation.  Here's the summary text from the ITSMF conferences posting just to give you an overview.

Amid the global financial turmoil and toughening business conditions, businesses continue to look to IT to provide leadership in responding to challenges and emerging opportunities. This presentation covers the implications and recommendations for leadership in an uncertain economy based on a recently completed IBM research of over 400 IT organizations. This session will focus on the US results, how Service Management is transforming from an IT to a business discipline, and provide practical advice on how best to weather the storm.