Unless you've been living under a rock the past couple weeks, you've heard about the much-maligned "bailout" (er, sorry, "recovery" - not!) package that the US Congress has been kicking about. The plan originally allocated US$700B to the US Treasury Dept., at the discretion of the SecTreas, to buy a bunch of bad, overpriced paper from financial services companies that are acting greedy and are unwilling to neither disclose how much bad paper they have nor reduce the price of the paper to incur a loss. Despite massive outcry from the public (you know, those fabled "constituents" who allegedly elected these elected officials), Congress has gone ahead and approved it today, with a few "sweeteners" added to bribe over the few hold-outs (about $110B in earmarks and tax credits - see here).
A few things have struck me about this entire ordeal and its similarities to life in enterprise security.
Knee-Jerk Reactions
One of the most common drivers found in enterprise security is the knee-jerk reaction. Had a breach? Better rush to fix it, ignoring everything else. Impacted by a new regulation? Focus exclusively on that and it's requirements.
The problem is that the national and global economies, just like the enterprise, are not easily or beneficially broken into sub-components. You cannot just focus on one aspect of an enterprise, ignoring all others, and hope that everything will magically take care of itself.
Now, in this case, we have a bunch of Wall Street fat-cats who are suffering from making really bone-headed decisions. Rather than solve the problem effectively or themselves, they're looking to the Federal Government for assistance. SecTreas Paulson, a former Wall Street fat-cat himself, embraced this bailout notion immediately. But the reaction was swift and poorly considered. As is much of security.
Ignoring Consensus and SMEs
Another major challenge in enterprise security is hearing the right voices at the right time. Oftentimes, when under immense pressure, managers and executives chose action - any action - over waiting and building consensus. This unfortunate desire for instant gratification is quite dangerous, particularly with security and economics, in that neither is a field that does well with a short horizon. Sure, there are some examples where you have to have a short horizon (Microsoft Black Tuesday circa 2003, for example), but overall, you have the luxury of time (some time, not a lot of time) to sit and consider a problem and reach consensus on a rational approach.
In the case of the bailout, most economists opposed the plan, and by the end of this week even got so far as to find consensus on an alternative solution that would have cost the taxpayers far less, and likely would have been far more effective. Now, it's possible this approach may still prevail, but until that happens, it's terrifying to consider that the SecTreas now has 3x the debt of Africa at his discretion to hand over to his cronies back on Wall Street.
Unfortunately, as is often the case, the subject-matter experts (SMEs) have lost their voice in the discussion, the executives have pressed their knee-jerk decision, right or wrong, in order to be consistent (or sell-outs in the case of Congress - $110B in earmarks!!!), and to show some sort of action. Similar is the case of enterprise security, particularly in the time of crisis or vendor presentations, where management makes an arbitrary "shiny object" decision to move forward, regardless of how ill-conceived that decision may actually be.
Treating Symptoms (patch, patch, patch!)
In line with the thought on knee-jerk reactions, it is also very common in enterprise security for symptoms to be treated without root cause analysis occurring. The same appears to be true of the bailout package in that it tries to stem the bleeding from the surface wounds in Wall Street instead of going in to repair the internal tears that are allowing the blood to escape in the first place.
When pressured to "do something", it is very common in enterprise security to seek out the nearest painful symptom and attack it. Once addressed, everybody can feel good because that immediate pain is gone, but rarely do people want to talk about the root cause and whether or not that pain will come back?
In my previous life, one of our greatest achievements was standing up a proactive security assurance team that had a focus on going into the field to work with engineers, seeking to positively impact designs from a security perspective, and adding testing before or concurrent with releases so as to catch major problems before they were exploited and turned into incidents.
Similarly, beyond the immediate need for recapitalizing the banking industry (as suggested by the consensus of leading economists), there is also a long-term need for the government to wrench open the books of affected financial services organizations to start analyzing what truly went wrong. It's time to get past the symptoms of a cranky Wall Street, which is by definition a volatile market, and start looking at the root causes, how to address them, and how to prevent or minimize a similar event in the future.
So Much for Strategic Outlook
The problem here, of course, is that to look for root causes and to think about long-term solutions is to talk about strategic planning. This concept seems to have become quite foreign within the American business culture. There is an excessive focus today on the short-term gains. Organizations and investors obsess over quarterly earnings, oftentimes altogether overlooking the long-term view. Where is the strategic vision?
The bailout is a perfect example of the rule of short-term thinking. Say, for example, that the bailout is fully applied, putting the government another $1 trillion (yes, with a 'T') in debt, and yet the economy still manages to fall into a depression in the next couple years. Will the federal government then become insolvent, too? What happens if your central government goes bankrupt? Well, I have a couple ideas, and neither is particularly nice. The USSR went bankrupt in the 80s and 90s and the government collapsed. Germany went bankrupt in the 1930s and the Nazis ended up seizing power, much in the same way as Bush has strengthened the role of the Executive Branch these past few years.
In enterprise security we have the same problem. As already mentioned, the common approach is a knee-jerk reaction to stimuli, resulting in a short-term focus on symptoms. Unfortunately, treating symptoms on a short-term schedule does not produce a particularly risk resilient organization. In fact, suffering from extreme short-sightedness will cause your organization more pain in the long term given that it isn't protecting itself from risks overall.
Ironically, this risk protection strategy is generally leveraged by the business, just in the absence of technology and security. The concept itself is very solid, grounded in the practices of business management, finance, accounting, and the actuarial sciences. If only Congress would use a similar perspective when considering short-term solutions to long-term problems.
Risk Management in a Vacuum
As we consider retrospectively this notion of short-term versus long-term solutions, there is one inherent danger that must be considered, regardless of our discussing enterprise security or economic bailouts. That topic is the danger of making risk management decisions in a vacuum. Working in a vacuum is an interesting concept, since from a materials sciences perspective it can have strong benefits. In the business world, however, working in a manner that abstracts us from the normal stimuli of everyday life can lead to unintended consequences.
Take the case of the State of California, which is now facing insolvency itself. The root of the problem is again the same root as is affecting Wall Street, and it's again a problem that is addressed by the consensus solution, but not the bailout.
Likewise, in enterprise security, we have this concern where security solutions implemented may treat symptoms without providing meaningful solutions. Or, worse, they may introduce new, unintended problems that hinder the business from performing optimally. My favorite example is the case of outbound Internet proxy firewalls that actively quash connections to web sites that are deemed bad or anti-productive. It's not uncommon as a security professional to run into major conflicts with these proxy configurations, since many of the sites a security professional might visit could fall under the "hacker" category, and thus be deemed inappropriate for work. The irony, of course, is two-fold: one, blocking the site doesn't generally improve the security of the enterprise (what risk is it mitigating/reducing?), and two, it may well lead to workarounds that undermine the control that is put in place.
Putting aside the policy violation issue, we need to be very careful that our solutions receive review and validation from a broad audience in order to optimally verify that the impact will not be more negative than positive. Any rule that stops a major flow of legal, legitimate income for an organization is probably a pretty bad rule.
And so, back on the bailout, we come full circle, where Congress - at the behest of their presidential slave master - has passed legislation that was hastily crafted in a vacuum to address a symptom rather than a root cause, focusing on short-term pain without providing adequate consideration for long-term consequences, and completely ignoring the need for a strategic plan.
In the end, everything may be fine, but let's not be deceived into thinking that this bailout is a panacea. In fact, let's hope that this bailout package doesn't fulfill my fears and make the problem even worse than it already was. Is this a bailout or a reward for a spoiled, ill-behaved child? We may find out, one way or another, very soon.
For the risk resilient enterprise, the lesson to learn here is to resist pressure to rush to solutions before the problem space has been fully defined. Listen to your SMEs, seek consensus, looking for strategic solutions based on root cause analysis, and be careful not to develop solutions in a vacuum.