Richard Bucker

Who makes your security decisions?

Posted at — Sep 29, 2012

I’m sitting in front of my kid’s Chromebox and I thinking about a password for her. It’s not that big of a deal and I could go crazy if I like. I can also go really loose. But as I’m sitting here I wish I could use this computer to monitor things at work.For the price or a Chromebox I can go mobile with much less fear about losing my computer because everything is on the network and there is nothing locally. The machine weighs much less than the standard issue laptop. I can also implement a 2 step/part authentication. and so one and so on.But as I think about security policies. I wonder who is making the decisions and when they make those decisions; what level of friction are they comfortable with. For example if you are a CIO of a company and you have implemented lax security measures and you are compromised then you will likely lose your job and your rank. Not to mention that there is likely to be some legal fallout. So my guess is that if you are a CIO and making the decision there is going to be a lot of end-user friction.On the other hand if you are a low ranking manager responsible for security you are likely to make thinks geek friendly. Allowing people to connect to the company’s resources with their personal computers or tunnel through the firewall. Reverse ssh from internal computers in an almost wild west setting.Somewhere in the middle there is the HR policy maker. I’d like to think that this can go either way but usually falls toward the more friction side of the equation.Who makes your security policy decisions? Federal, State, local laws and ordinances? Bureaucrats, think tanks, Solution vendors, or 3rd party consultants? Company Executives or senior management? Middle management or IT departments? Security by Committee? Technical or Non-Technical employee?What sort of UX Friction is there? Exclusive VPN with no external access and limited internal access? Dedicated Citrix remote desktop running on dedicated Wyse terminal? Normal VPN with limited access to internal services SSH or Tunnel Robust applications acting as proxy and so many moreI still wish I had the network privileges and tools to do my job from my kids Chromebox.