I have a qualitative and anecdotal measure for knowing when
business process owners have really started to internalize security changes and
think about cyber risk.
That measure? You’ll begin to see positive second order effects of
the changes.
Think of effects like a domino effect. A first order event might be a wet tennis ball being hit in your direction. The second order effect of that might be filthy water from the spinning ball making your white shirt wet and dirty, A third order might be having to unexpectedly change your shirt.
We can think of discussion or acceptance of a security policy as a first order event. Those second order and sometimes third order effects often
have little to do with security but more with operational impacts to the
business process. It also can mistakenly be viewed as security friction.
But it’s not.
Example: A key security policy and cyber risk decision within
organizations is their policy around the use of personal devices. The
organization can choose to allow personal devices for anything, allow personal
devices for non-sensitive business functions, or not allow them at all. Each
decision carries its own risks, security
related friction, and operational/logistical requirements on the business
process owner to make work.
If an organization allows personal devices, a key cyber risk
decision will be whether certain job functions and access to certain critical servers/services/data
will require users to have a corporate device for certain scenarios or, perhaps
for other scenarios, a corporate device or personal device enrolled in the
corporate mobile device manager (MDM). This includes access during off hours.
In short, your organization might now have three categories
of mobile users under that policy.
- Users that are required to have a corporate device because they need to access data that cannot be stored on a personal device
- Users that can have a corporate devices or alternatively can just enroll their personal devices in the MDM for access to the data and services they require.
- Users that have no such business requirements and do not need to enroll their personal devices
Acceptance of such security policies by the business process
owner may incur new requirements to issue corporate devices for users in such
roles who do not want to enroll their personal devices. This is a clear second
order effect of a risk decison by the business process owner about a business
process they own.
Watch for these second order effects. The indicators are in
the questions being asked. When you hear them, you’ll know that the business
process owner isn’t just politely agreeing with the policy. They are thinking through the gritty details
and possible second and third order impacts.
This is a great sign. Growing pains. The transition of
change.
It’s also the start of the process of internalizing security
to the point of rethinking and uraveling the business process so that it can be
successful.
Little victories.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment