Friday, October 11, 2019

Giving Meaning To Second Order Effects from Security Policies

I have a qualitative and anecdotal measure for knowing when business process owners have really started to internalize security changes and think about cyber risk. 

That measure? You’ll begin to see positive second order effects of the changes.

Think of effects like a domino effect. A first order event might be a wet tennis ball being hit in your direction. The second order effect of that might be filthy water from the spinning ball making your white shirt wet and dirty,  A third order might be having to unexpectedly change your shirt.

We can think of discussion or acceptance of a security policy as a first order event. Those second order and sometimes third order effects often have little to do with security but more with operational impacts to the business process. It also can mistakenly be viewed as security friction.

But it’s not.

Example: A key security policy and cyber risk decision within organizations is their policy around the use of personal devices. The organization can choose to allow personal devices for anything, allow personal devices for non-sensitive business functions, or not allow them at all. Each decision carries its own  risks, security related friction, and operational/logistical requirements on the business process owner to make work. 

If an organization allows personal devices, a key cyber risk decision will be whether certain job functions and access to certain critical servers/services/data will require users to have a corporate device for certain scenarios or, perhaps for other scenarios, a corporate device or personal device enrolled in the corporate mobile device manager (MDM). This includes access during off hours.

In short, your organization might now have three categories of mobile users under that policy.

  • Users that are required to have a corporate device because they need to access data that cannot be stored on a personal device
  • Users that can have a corporate devices or alternatively can just enroll their personal devices in the MDM for access to the data and services they require.
  • Users that have no such business requirements and do not need to enroll their personal devices

Acceptance of such security policies by the business process owner may incur new requirements to issue corporate devices for users in such roles who do not want to enroll their personal devices. This is a clear second order effect of a risk decison by the business process owner about a business process they own. 

Watch for these second order effects. The indicators are in the questions being asked. When you hear them, you’ll know that the business process owner isn’t just politely agreeing with the policy.  They are thinking through the gritty details and possible second and third order impacts. 

This is a great sign. Growing pains. The transition of change.  

It’s also the start of the process of internalizing security to the point of rethinking and uraveling the business process so that it can be successful. 

Little victories. 

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


No comments:

Post a Comment