Enterprise Security and the Battle Over Productivity

Saturday, February 11, 2012

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

Contrary to what you've heard, the biggest battleground in the enterprise isn't over being 'secure'... we've gotten over that.  The fight is now over productivity.

If you think about it, everything your organization does is about maximizing the output for less and less input.  

Many organizations have productivity as a formal year-over-year metric they measure to validate that their operational efficiency is maximized... productivity is a serious deal. So, you may be thinking to yourself, what does productivity have to do with security, exactly?  Allow me to explain.  Everything.

Unintended Consequences of Security - The Good

Security impacts productivity in ways most of us don't even realize.  When your environment is free of the crud that slows systems down, and causes outages and unplanned downtime people can be more efficient and have a much greater productivity curve than when they're constantly opening up help desk tickets because some piece of malware has infested their system.  Constantly having to dig through your mailbox and sort out SPAM email isn't a great use of corporate personnel time either. 

Come to think of it, security can be the grease that keeps the well-oiled enterprise smoothly running along since we have our hands in systems, applications, processes and everything else that's critical.  We have visibility that comes from having to understand the 'big picture' and 'how the cogs fit together to move the machine' or some other cliche I can't think of right now.

Preventative maintenance in the form of system patching (again, carefully using the word preventative deliberately here) can keep servers, systems, and applications from failing unexpectedly during peak usage or critical times... and it's all because security mandates this type of mechanism.

There are other really good side-effects of security - especially when it comes to applications development.  I hear you laughing because everyone knows good security slows down the SDLC, but there are benefits that far outweigh the added few hours (again, predicated on the fact that it's done right) you'll spend implementing security requirements, testing, and validation.  

You see, applications that perform well (as I've blogged about before with my evil twin and performance guru Mark Tomlinson) also have the benefit of surviving attack (accidental or otherwise) during peak usage time... since Distributed Denial of Service (DDoS) seems to be the cool thing to do to sites you don't like, it's important to know that your site or application is resilient.  

More importantly, it's important to understand fully (as Mark points out) the implications that cross security-performance boundaries.  Again, these are all productivity issues because what happens when your work-from-home customer service platform is a target for an attacker?

Is your customer service department sitting on its hands, while you figure out how to solve the problem?  Or do you simply swat it away like an annoying gnat and chug along? You see, security can have a fantastic and often magical impact on productivity in a positive light... but it's not always cupcakes and butterflies.

Unintended Consequences of Security - The Bad

Security can be a pain in your rear.  Yes, I said, it.  When those patches come from your big database vendor and you have to take your corporate enterprise database completely down to patch?  

Or worse, you have to pull your database administrators off their current projects which are likely serving some company function and move them into a security project which requires them to replicate the database, apply the mountain of patches, regression test, then push to production and cross fingers.  

This isn't a 15 minute project... this takes hours and hours, multiplied by the dozens or hundreds of databases you have.  That's hundreds of hours of productivity lost to patching cycles.  Then we have servers, desktops, mobile devices and everything else that needs to be patched and maintained regularly.  Say it with me - "productivity black-hole."

Now, allow me to turn your attention to some of the policies that we in Information Security implement.  Things like restricting web site browsing categorically because employees shouldn't be browsing social media sites and such... except that your marketing department, nay, your social media marketing team lives to be in the social media.  

They're being blocked at every turn, and have to go to the security team to request exceptions all the time, and while they're sitting on their hands waiting for security to un-block their browser access to some site they critically need... yup, lost productivity. And don't even get me started about anti-virus (anti-malware, or whatever we're calling it these days) that is set to run a full system scan - the kind that brings your workstation to a grinding halt for 4 hours - in the middle of a Tuesday afternoon.

Employees call those times extended coffee breaks, or long lunches.  Yup, the 'full system scan' starts at 11am (have to account for those pesky time zones) and goes thru somewhere around 2'ish so everyone takes a longer lunch.  Again, massive productivity loss.

How about full disk encryption?  What about all those little annoyances that are loaded onto workstations that slow the machine down to a crawl?  What about the often Draconian access control policies that security sets up for good reason - but that forces employees to have to open a million help desk tickets to "get anything done."

The trick is, when security can't clearly and absolutely get definition on what employees should and shouldn't be allowed to do, they have to implement the law of least privilege overly aggressively and then things get slow, tedious, and everyone complains about security.

Unintended Consequences of Security - The Ugly

So far, we've been talking productivity gains and losses.  What about catastrophic productivity loss when things really hit the fan.  If you've never experienced an all-hands on deck moment then go hug one of your security people - in an HR-approved way, of course.  I've been a part of enough of these to say that incidents, when they happen - not if - will suck the life out of you.  

Say you're mid project, and maybe even on schedule to deliver that business-critical application upgrade, code migration, or critical partner connection.  Then you get the call.  "All hands on deck, we have an incident".  At this point, everything drops on the floor except for the critical issue at hand.  

This is productivity loss on an absolutely epic scale.  I've had people tell me that in a small organization (~100 people or less) they've lost a calculated ~5,000 hours of just human downtime being diverted from delivering business productivity - to fighting a raging fire (or incident).

On top of the actual costs of hiring attorneys, buying new gear on the fly, and bringing in armies of consultants and forensics people - your organization will experience catastrophic productivity loss.  This is probably just as bad as the public shame and customer backlash and directly impacts your bottom line and revenue too!  It's ugly.

The Analysis of it all

So in the worst-case scenarios security (incidents) can brutalize your productivity and on a good day they're going to improve productivity... but here's the thing about that. In most cases, it's like the posted with the little puppy says "When we do good, no one remembers, when we do bad, no one forgets".  

Ask yourself the last time you noticed that something the security team did improved your or the company's productivity.  Now ask yourself the last time you noticed when something security did that negatively impacted productivity.  Did a light bulb just go on?  See, the really good stuff security does is behind the scenes and when done well - you're not supposed to notice.  

You won't get a pizza party when you improve server uptime and don't get hacked and taken down.  You don't get carried on the shoulders of your colleagues for having the full system scan run at 11am on Friday (when everyone takes a long lunch anyway, ahem...).

So in the final analysis, I'm starting to think that the key to enterprise security is productivity.  How do you keep people in your organization as productive as possible? The obvious answer is minimal disruption, right?  How do we enable Enterprise Security to disappear in your organization... so that no one notices they're there (in a good way, obviously)?  

Stay tuned... this series on Enterprise Security is just getting going.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
12698
Enterprise Security
Information Security
Denial of Service Antivirus Enterprise Security Management SDLC DDoS Network Security Employees Policies and Procedures Rafal Los Productivity
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.