A wise man once told me about his discovery of the "Five Stages of Employment", which are a bit like the traditional "stages of grief"; i.e. how one comes to accept an imperfect situation with varying stages of grace. The stages of employment are: idealism, reality, anger, depression and hilarity.
When one begins a new employment adventure, one hopefully starts out with a certain level of idealism - thinking everything is going to be better, that they'll do great things and they'll receive ample support from co-workers as well as management. Reality comes shortly after - every job has its hurdles and bureaucracy. After realising this, when you think there might still be a way to fix these flaws, you get angry. When you realize some of these flaws are unfixable, depression sets in. After a while, you stop being so wrapped up in the flaws and can get enough perspective or emotional distance to laugh at these problems. In the next few months, we'll look at the top five suggestions for each stage.
When I got my start in the security business, it was working in the trenches at McAfee doing something like triage. I would sort incoming samples into queues to make sure the virus samples were handled in order of severity, and I answered incoming customer questions. These were mostly the usual "My left shift key isn't working. Is this caused by a virus?" or "Have you heard of that virus they mentioned on CNN last night?" But the answers to those inquiries almost always included some nugget of advice for how to better protect oneself.
Being insulated within a happy little research environment, you get a rather extremist view of how security should be dealt with. My top five totally obvious but unfortunately idealistic suggestions were these:
1. Everyone should know better than to open attachments they weren't expecting.
2. Nobody should be allowed to surf to the sketchier areas of the internet at work.
3. Social networking/video sites are dangerous and time-wasting and shouldn't be allowed in corporate networks.
4. Password length/complexity/freshness should be enforced absolutely.
5. Software and OS patches must be applied immediately after release.
Coming to West Coast Labs, I suddenly had a chance to interact with customers face-to-face and to have extended conversations about the dilemmas people have in the real world. I was absolutely dumbfounded to find out how even the most simple "security best practices" rules get thwarted in the real world. My favourite example of this was a CEO who insisted that YouTube be allowed, as videos of talking cats are essential to employee morale. Okay, maybe I added that part about talking cats, but you get the idea. The sense of anger and frustration from the security guy relating this story was palpable. Clearly a case of Stage Three.
There are certain businesses where I feel that an extremist view is still warranted: banks, hospitals, government offices/contractors, etc. Places where people's lives or finances are directly at stake should be draconian with their security policies. But I realise that for some businesses, things are not and should not be so dire. Most businesses fall somewhere in the middle, as they deal with customers' personally identifiable information or credit card details, which are still quite important to protect. These are the businesses which must struggle to find a balance between security and usability.
Next month we'll discuss the top five security suggestions for the real world.