Comments on: PNSR: Knowledge Management and the Market Dynamics of U.S. National Security http://jbordeaux.com/pnsr-knowledge-management-and-the-market-dynamics-of-us-national-security/ Organizational Knowledge Design. Wed, 01 Sep 2010 19:19:41 +0000 hourly 1 By: srxdba http://jbordeaux.com/pnsr-knowledge-management-and-the-market-dynamics-of-us-national-security/comment-page-1/#comment-147 srxdba Sat, 14 Feb 2009 15:31:29 +0000 http://jbordeaux.com/?p=222#comment-147 This will be 'rambly', because it is Saturday (Valentine's Day) and I get to work all day, so not lots of time to ponder today. This is exactly why I use the term 'co-writing'...we must get away from viewing security as an absolute...either a 1 or a 0...security is all about risk management, and the enterprise needs to come to an understanding of what is 'acceptable risk' for them...do they understand the risks involved in using personal thumb drives? Are they willing to accept that risk? Ultimately, it isn't the decision of the security group - their job is to ensure that the risks are understood, then help implement security controls to manage the risks to the level determined by management. If a breach occurs, seems like more often than not the security group is pointed out as deficient, when frequently it is the management decision to accept a risk that is the real culprit. So, since security groups feel like they'll be the sacrificial lemming, they try to 'over-implement' security as an approach to CYA. Sometimes I want to scream "can't we all just get along?" when it comes to enterprise IA. Instead of always falling into an 'either/or' view, we'd get much better security results if we cooperated, communicated, and managed the risks appropriately. When looking at any external set of controls, we run into the same tension...sure, a project can be successful without any PMBOK/PMP practices, software can be developed outside of any SDLC or CMMi, or Agile processes (I know, I'm freely mixing and matching), but many folks agree that bringing in these external processes help provide more predictable results with higher quality. Kinda the same thing with security...certainly, we might have confidentiality, integrity, and availability if we play fast and loose, but when someone's home thumb drive (with an inadvertent virus provided by their kids) brings down the network, will the National Lab workers be doing any more work than they're doing with all the security rules in place? This will be ‘rambly’, because it is Saturday (Valentine’s Day) and I get to work all day, so not lots of time to ponder today.

This is exactly why I use the term ‘co-writing’…we must get away from viewing security as an absolute…either a 1 or a 0…security is all about risk management, and the enterprise needs to come to an understanding of what is ‘acceptable risk’ for them…do they understand the risks involved in using personal thumb drives? Are they willing to accept that risk?

Ultimately, it isn’t the decision of the security group – their job is to ensure that the risks are understood, then help implement security controls to manage the risks to the level determined by management. If a breach occurs, seems like more often than not the security group is pointed out as deficient, when frequently it is the management decision to accept a risk that is the real culprit. So, since security groups feel like they’ll be the sacrificial lemming, they try to ‘over-implement’ security as an approach to CYA.

Sometimes I want to scream “can’t we all just get along?” when it comes to enterprise IA. Instead of always falling into an ‘either/or’ view, we’d get much better security results if we cooperated, communicated, and managed the risks appropriately.

When looking at any external set of controls, we run into the same tension…sure, a project can be successful without any PMBOK/PMP practices, software can be developed outside of any SDLC or CMMi, or Agile processes (I know, I’m freely mixing and matching), but many folks agree that bringing in these external processes help provide more predictable results with higher quality.

Kinda the same thing with security…certainly, we might have confidentiality, integrity, and availability if we play fast and loose, but when someone’s home thumb drive (with an inadvertent virus provided by their kids) brings down the network, will the National Lab workers be doing any more work than they’re doing with all the security rules in place?

]]> By: John http://jbordeaux.com/pnsr-knowledge-management-and-the-market-dynamics-of-us-national-security/comment-page-1/#comment-89 John Sun, 08 Feb 2009 16:08:13 +0000 http://jbordeaux.com/?p=222#comment-89 Carl, My problem lies in this idea of "co-writing policy." Operations and Security are not peers - our focus is to get a job done, not just protection. I spoke with someone from a National Lab recently who said her office put up a sign: "Work-Free Safe Zone." The security lock-downs are simply out of control as practiced and hurting the mission. While I understand the importance of "external" audits, this leaves open the question: who decides? The fact is that the mission is fluid, and hard rules do not help us adapt to evolving challenges. There may be times when the mission will accept more risk than other times. If we agree that this is one key to agility, how does "co-writing" policy or security-as-IG help us get there? Carl,
My problem lies in this idea of “co-writing policy.” Operations and Security are not peers – our focus is to get a job done, not just protection. I spoke with someone from a National Lab recently who said her office put up a sign: “Work-Free Safe Zone.” The security lock-downs are simply out of control as practiced and hurting the mission.
While I understand the importance of “external” audits, this leaves open the question: who decides? The fact is that the mission is fluid, and hard rules do not help us adapt to evolving challenges. There may be times when the mission will accept more risk than other times. If we agree that this is one key to agility, how does “co-writing” policy or security-as-IG help us get there?

]]> By: Carl Willis-Ford http://jbordeaux.com/pnsr-knowledge-management-and-the-market-dynamics-of-us-national-security/comment-page-1/#comment-63 Carl Willis-Ford Tue, 03 Feb 2009 19:15:21 +0000 http://jbordeaux.com/?p=222#comment-63 "Subordinate Information Security Functions to Operations" - If what you mean is to have the 'hands on' done by Operations, with a separate security organization co-writing policy and providing audit functions, then I agree wholeheartedly. If you mean to have Operations encompass all security functions, then (among other problems) you lose separation of duties, leading to disaster...it really IS important to not have an organization audit its own security work. Ideally, the security professionals don't work for the CIO...imho, an enterprise needs the tension between the CIO looking for new and better ways to provide access and the CISO looking for new and better ways to provide security. “Subordinate Information Security Functions to Operations” – If what you mean is to have the ‘hands on’ done by Operations, with a separate security organization co-writing policy and providing audit functions, then I agree wholeheartedly. If you mean to have Operations encompass all security functions, then (among other problems) you lose separation of duties, leading to disaster…it really IS important to not have an organization audit its own security work.

Ideally, the security professionals don’t work for the CIO…imho, an enterprise needs the tension between the CIO looking for new and better ways to provide access and the CISO looking for new and better ways to provide security.

]]> By: Irving Lachow http://jbordeaux.com/pnsr-knowledge-management-and-the-market-dynamics-of-us-national-security/comment-page-1/#comment-62 Irving Lachow Sun, 01 Feb 2009 19:36:44 +0000 http://jbordeaux.com/?p=222#comment-62 John, Great blog! I like your analogy to financial markets. Anther common theme across the two: the primacy of information! Financial markets live and die on information. Same is true of the national security system. Along the same lines, both can be modeled quantitatively, but are ultimately driven by psychology and are thus irrational. You wanna write a paper on this? :) John,
Great blog! I like your analogy to financial markets. Anther common theme across the two: the primacy of information! Financial markets live and die on information. Same is true of the national security system. Along the same lines, both can be modeled quantitatively, but are ultimately driven by psychology and are thus irrational. You wanna write a paper on this? :)

]]>