Since I read this post by Andy Willingham I have had an idea for a Blog post in my head. But, in my new job, I am very busy and have very little time for Blogging so I left the thought in my head. Today, I had some time and started going through my blog list and saw this article by Jeff Lowder and then I knew I just had to write this article.
Its amazing how two people can take in the same story and both get similar but different conclusions out of the story.
Andy basically relates the story of how Henry Ford lost out on market share because he was not prepared to make cars of different colours. He was basically so in the “make it quick and cheap” mindset that he would rather lose out to everyone else than change his beliefs.
You can read Andy’s article for his take on the story but I’m going to relate my take on the story.
Basically Henry Ford had an idea and it literally changed the world. For better or worse – cars are now cheap because of what he did. He missed out on the next step (making cars of different colours) and lost a lot of market share.
But bringing the conversation back to Information Security and IT – computers are now cheap because of efforts by companies such as Microsoft and IBM and Intel to make computers accessible to the man in the street. Of course, in doing so they have made Information Processing (creating information, storing it, working with it, moving it) very messy. Information flows all over and some of it gets lost and falls into the hands of people who shouldn’t have it. This is very similar to the mess of Car Manufacturing that Henry Ford was faced with. He then realised that getting rid of the mess and flurry that making a car entails and formalising the process would mean that cars could be made quicker. And with better quality.
I think that the next step for Information Security is proactively improving business processes so that Information Processing and hence Business Decision Making can be done with the minimum amount of “mess” (think maximum amount of CIA).
The problem with doing this is that Information Security will start to make the business slower and more restricted as processes are followed.
HOWEVER, and this is where Henry Ford went wrong, once the Information Security Nirvana state is achieved (and this is possible) that process can start to expand in ways that were not possible before. This is where the holy grail of ROI starts to show itself.
It takes some serious introspection to get to this point – if a business does not know what all its processes are (or should be) then the general feeling is to allow everything. Once it is known what the process should be then it is possible to manage the availability of information, the confidentiality and the integrity. More importantly you should be able to know who does what and what Information they need to do it.
We can also then know what the process should be doing and add in the nice-to-haves over time making the organisation more agile.
I guess the whole point of this post is that the fight is not “Information Security vs Ability” but “Knowledge vs. Ignorance”.
Henry Ford got to the point where his organisation (at least the manufacturing part of it) was self-aware and everyone knew what their part in the process was. He reached Nirvana but he never took the next step – expanding the process to be more agile.
I believe that the race is on now to get our Organisations to the “Nivana” point by introspection and using Information Security to tie processes down. And then to take it one step further by expanding the process and beating competitors.