The more things change, the more they stay the same. That old saying rings true for me today during one of my last few day in the customer facility on the Ikonos program. Back in the day, systems security and the people running those programs were generally seen as impediments to be tolerated, humored and avoided at best, productivity killers and adversaries to be vanquished at worst. These days, with all the advanced security technology available – encryption, monitoring, vast databases of security-relevant information on all nature of things – we still have not attained the ability to effectively manage security. Case in point…
The 3-letter business customers (NGA & DSS) have recently become alarmed at an increasing frequency of violations reported to them for carrying personally owned electronic devices into the closed areas. Additional training was ordered, cheesy audible warnings appear at the doors including clumsy keypad covers and of course, the threat of harsher consequences including device confiscation, ostensibly for the purpose of examination to clear the electronic violator of any wrongdoing. Swing-and-a-miss, strike one.
A portion of the training contains a missive from the local DSS rep about how staffing and budget issues prevent addressing the problem from a technical standpoint. There are too many different dangerous devices out there and they just don’t have the time, people or money to come up with a real technical solution to this problem. So the only way to deal with it is just say no. Put the onus on the users once again, and make it hurt. Strike 2!
In all the hubbub surrounding this fiasco, I wonder who considered the simple fact that for every violation reported to them, probably 10 or more go unreported? How often do you think Joe Blow or Suzy Schmoe is tapping away at their workstation in there when they realize their cellphone is still in their pocket and they suddenly feel the urge to go to the bathroom? Strike 3 – you’re out!
The more things change the more they stay the same. That’s one reason why I’m getting out of the security business, professionally at least. I have the background to be the safest, most secure user any white-hat could ever wish for. But I’m taking the hat off now. Won’t be needing it in my new job and it will very likely be my last. Interestingly enough, today the Supreme Court ruled on some cellphone cases that now make the Government’s cellphone security quandary even more controversial:
(Justice) Roberts noted in his opinion that cellphones “are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”
One thing that will never change in the security business is the simple fact that the most dangerous security vulnerability is the one that goes undetected. Think about that next time you consider punishing users for your inability to get the job done.