Some crevices of civilisation attract the traffic warden personality. We see them lurking in children’s sporting competitions, in business communities, in our social lives where they slip just under the anti-bullying-bar. In popular culture we know them as Jobsworths, popularised by television (That’s Life) and in film (Beatles’ Help).

One particular organisational Petri-dish for this is the Business Risk discipline. Particularly when dealing with regulated systems security.

The information systems security advisor, ossified into making a business decision reacts by reducing personal risk, without regard for the contingent business implications. Imagine that there is a business imperative to post a letter. The post box is on the street corner; the street corner has double yellow lines.

The security advisor’s solution: “The Road Traffic Act says one can’t park on double yellow lines. You must park in the town-centre car park and catch a bus to the post box. I’m not making a decision, but I can document the risks and ask someone else to break the law”.

The risk opinion goes up the tree, no one wants to challenge perfectly reasonable logic until the business unit who wants to post the letter realises the additional costs and then does their own analysis:

The pragmatic business: “We could be purists, at huge cost, or we could park up and take a chance. But what I think we’ll do is drive with a colleague, park up, I’ll jump out why my colleague keeps watch and drives round the block if anyone comes.”

The answer to this behaviour lies in the interstices of security and risk. The security purist says “no”, the risk manager says “no but”. Unlearning behaviour is hard, the information security trade tends to attract a certain personality type who is personally risk averse, prone to pedantry and tends to think in the language of protection, defence, doing less and stopping things happening. Turning our security teams into business teams is a start, followed by extracting security from IT and reporting into the business, or at least the business risk function.

Making a decision is scary, but extracting value from the risk teams means empowering and enforcing decision-making behaviour, viewing security as a tool to enable business imperatives, changing the language we use to reflect that security can help an organisation grow as well as defend. There are many examples of this: from the trivial of bringing your own iPad through to enabling secure financial transactions and using security as a selling point.

If we don’t do this, we risk the security trade being relegated to the organisational cul-de-sacs where their deontological minds will ensure they are perceived as an Immanuel Kant and called Traffic Warden behind their backs.

The post Security, Pedantry and Parking Tickets appeared first on CIO Agenda.

How many passwords do you have to manage? By passwords, include your card PINs, your on-line banking details, the proliferation of “secret questions” and your mother’s maiden name(s). I have more than sixty. If I count only those that I really care about, that is those that can do me financial harm such there are at least forty. And I’m a simple soul, I have a handful of cards, bank accounts, mortgages and deal online mainly with Amazon.

The curse gets bigger when I include the mandatory sign-up screens for temporary web sites and spreads again when I include my work passwords.

I even need a password to open the door to my office! Four more digits (I use 1234).

Why do we put up with this? How do we manage it? In part, we put up with it because we have to. If one wants an account, one needs to play by their rules. One solution is to avoid the accounts. One solution is a digital password safe. One solution is to write your passwords down.

I have a password book and I have a File of Death. The File of Death is the file to go to when I die, where all my credentials are located. Given how easy it is to check in to the digital world, but how hard it is to check out (even when one checks out of the real world) it’s imperative to have a mechanism to close down FaceTwit in lieu of those organisations actually taking their user’s privacy seriously enough. Before I die, there’s my password book. The only way to effectively manage all my passwords is to write them down and to have a sensible pattern. Possibly obfuscated, certainly re-used.

I like bananas. I used to like apples but about five years ago web sites started imposing password lengths and apple was just too short. Now I’m up to banana216% which seems to satisfy all the current complexity requirements.

Of course, I’m not completely stupid. I don’t use banana for all my accounts, only the ones that don’t personally do me harm (like work and those peculiar themed websites we all deny using). I have “fishcake” for the really high risk systems.

So, what’s the solution?

Reducing the proliferation of passwords can make our online life more secure. There’s no reason why forums and other socially social sites can’t just rely on oAuth and accept FaceTwitOogle credentials: indeed some are doing this already, but not enough. I can’t say I like the idea of authenticating to my bank account through Twitter, but I’d accept it for those sites that can’t directly do me harm.

Incorporating a FaceTwitOogle credential reduces complexity for the site (no access control lists to manage), it improves the user experience (simple sign on), it’s socially-webby (so it must be good in a 2.0 way) and it’s an amulet against the password proliferation. If the site absolutely must have an email address, then they can ask for it: and we can use Mailinator if we wish.

But in the absence of common sense and the system owners thinking through why they want a password, what risk the password mitigates and the unintended consequences, I’ll continue to use the only useable alternative.

My password book of death.

The post Password Book Of Death appeared first on CIO Agenda.

You can’t trust your employees. They are basically children with money. You can’t trust ‘em if you can’t see ‘em. If you can see ‘em then they must be working. Hard.

The recent and ongoing debacle with the white stuff shows that organisations need to take a consistent line on remote working: either provide the tin or don’t come to the party. Either trust or judge by presenteeism. If you trust then it is essential that the necessary support services are in place, but that’s more than merely the technology. Any organisation can invest in collaboration tools, laptops with video, remote meetings, agile telephony and virtual team. Indeed, any organisation that does not have these tools is rightly judged to be a laggard with skewed priorities. If you don’t trust, then make it clear: your staff’s value is the warmth they give to their chair.

For business continuity, these tools are essential. When the snow falls and staff stay home, the organisation can continue to function by taking advantage of new technologies. Having a clear policy that supports such measures is essential, but so too is the culture that is required to ensure that staff know their responsibilities and duties. Behind this, strong systems are needed that enable remote working which in turn requires investment and clarity on investment priorities.

Once an organisation untethers its staff it can release expensive buildings and start to push support costs back onto the individual, where the individual is given the freedom to choose their technology and the responsibility to manage that choice.

The choice is simple: we play our games as adult-adult, or we play our games as adult-child. When the snow falls, do we infantalise ourselves. And when it clears do we mature.

Or are staff inherently unreliable wasters who need to be corralled into submission?

The post There’s no business in snow business appeared first on CIO Agenda.