Tuesday, July 20, 2010

The Jerry Maguire take on Security

I have a strong feeling this post is going to be my Jerry Maguire’s “Mission Statement”…

A couple of comments for those who have not seen the movie:
1. Keep reading as watching the movie is not a prerequisite
2. You should probably consider watching it, it has some funny quotes

A recap - Jerry Maguire is a 1996 film starring Tom Cruise about a sports agent who has a moral epiphany and is fired for expressing it, who then decides to put his new philosophy to the test as an independent with the only athlete who stays with him (Wikiquote.org - http://tiny.cc/sqj8p).

My case is obviously different: it is not so much an epiphany but rather some thoughts/insights, and the whole firing part???

Despite the many changes the security community experienced, one thing seemed to stick with us throughout the years (especially as compliance has been bolted on to security) – FEAR.

If we’ll scare them they will come!

Fear as a way of thinking about the challenges, fear as a design criteria, fear as a way to prioritize features, fear as a driver for pricing, and certainly fear as a selling tactic.

It is kind of a negative way of thinking, don’t you think?

Recently I have participated in the Enterprise 2.0 conference. Surprisingly these guys approach issues differently, on the verge of a Woodstock atmosphere. It is all about collaboration, opening up the organization, loosing controls, doing good for everyone (rainbows and violin background music…). Almost too much positive thinking for me…

In the audience I could notice quite a few CIOs, most of which participate in our (security) conferences as well. It simply mind boggling what is going through their minds when they hear both enterprise 2.0 and security pitches. The contradiction is simply amazing.

So who has it right?
Are we right and they are naïve, or they have it right and we are simply afraid?

As with most things, I believe the truth is somewhere in between.

You would rightfully say organizations spend their security budgets addressing threats. And Rod Tidwell’s immortal motto is probably correct (from the movie of course): “Show me the money!” security vendors should continue addressing these threats and fears. Hey, this is our thing and we should keep on doing it.

However I still believe there is a place for positive thinking in our domain (security). The infrastructure play and information our security systems are exposed to can be leveraged for positive spins. Topics such as increase awareness, productivity and reduce cost can all be addressed.

Just a few simple examples (I’m keeping the real interesting ones for internal usage…):
1. While monitoring usage of applications the system can recommend (potentially even automate) adding the more popular apps under the SSO umbrella.
2. As we monitor behavioral patterns for fraud detection we can contribute to optimize web applications increasing productivity and reducing cost.
3. During the access control to unstructured data we can identify usage frequency and suggest lower cost storage for hardly used documents or “cache” more frequently used data.
4. And even small frustrating thing as laptop’s startup time can be improved as application usage is monitored, we can identify hardly used apps/services and remove them from the startup sequence.

Can you imagine positive thinking can become a differentiator in the security domain?
Do you believe customers will actually be willing to spend their security $$$ on positive things?

No comments:

Post a Comment