[iwar] [fc:Security:.Not.just.a.technological.problem]

From: Fred Cohen (fc@all.net)
Date: 2001-10-25 18:28:41 

Return-Path: <sentto-279987-3438-1004059718-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 25 Oct 2001 18:31:07 -0700 (PDT)
Received: (qmail 29052 invoked by uid 510); 26 Oct 2001 01:28:03 -0000
Received: from n8.groups.yahoo.com (216.115.96.58) by 204.181.12.215 with SMTP; 26 Oct 2001 01:28:03 -0000
X-eGroups-Return: sentto-279987-3438-1004059718-fc=all.net@returns.onelist.com
Received: from [10.1.1.220] by n8.groups.yahoo.com with NNFMP; 26 Oct 2001 01:28:38 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 26 Oct 2001 01:28:38 -0000
Received: (qmail 78735 invoked from network); 26 Oct 2001 01:28:37 -0000
Received: from unknown (10.1.10.27) by 10.1.1.220 with QMQP; 26 Oct 2001 01:28:37 -0000
Received: from unknown (HELO red.all.net) (65.0.156.78) by mta2 with SMTP; 26 Oct 2001 01:28:37 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9Q1SfB21807 for iwar@onelist.com; Thu, 25 Oct 2001 18:28:41 -0700
Message-Id: <200110260128.f9Q1SfB21807@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 25 Oct 2001 18:28:41 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Security:.Not.just.a.technological.problem]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Security: Not just a technological problem

By Peter Burris, ZD Net, 10/25/2001
<a href="http://www.zdnet.com/zdnn/stories/comment/0,5859,2819925,00.html">http://www.zdnet.com/zdnn/stories/comment/0,5859,2819925,00.html>

Security is all about knowing and trusting that someone else is paying
attention to matters of safety, rights, etc., such that we, individually
and in the groups that matter, can focus on living our lives.

Today, the world finds itself feeling more insecure perhaps than ever
before. Why? Because we don't know exactly who or what would do us harm,
but we have the means to quickly learn about every single horrific act
that happens everywhere. Our condition today is less like a time of war
than a time of plague: our global village is under attack from an
unseen, poorly-understood contagion and we are watching our "neighbors"
suffer horribly on TV. Every incident of terror now is proximate to us. 
Consequently, the living of our lives is in significant flux. And, we're
clamoring to take steps to return to a state of relative
normalcy--essentially a situation where we can go back to letting the
"experts" look out for our security interests. 
However, we all know that each of us individually will be called upon to
learn new roles, be aware of new things, and exhibit new behaviors to
enhance our individual and community security. The debate regarding what
is expected of each of our leaders (both political and commercial), the
experts, and us is just taking shape. 
As I see it, the debate will hinge on the interplay of three elements: 
* Security, which I'll generally describe as a measure of certainty that
outside human forces won't totally mess up my day; 
* Privacy, which I'll generally describe as my right to withhold
information about what it is to be me (or, to put it into today's
technospeak term, my "identity"); and 
* Inconvenience, which I'll generally describe as the price I pay in the
form of tasks, actions, behaviors, or disclosures that I must suffer to
make sure that being me doesn't undermine someone else's security. 
Central role for business leaders Now, I'm not going to try to suggest
the optimal organization of these elements. But I will suggest that
business folk that don't understand the critical importance of their
voice in this debate, which will be most clearly articulated by the way
that they adjust and evolve customer and partner interactions, are going
to lose business--lots of it. 
Business leaders must take a central role in this discussion. Security
is not a technological problem, per se. It is a social problem that can
be attended--partly--by technology. Ultimately, policy and process are
much more important to generating security than products. 
To acquire greater security, business will foist greater inconveniences
on customers, largely by forcing them to disclose, either directly by
gathering personal information or indirectly by coercing different
behaviors. 
Customers will accommodate new inconveniences. They'll learn new ways.
They'll factor new requirements into their lives. 
But they also--absolutely--will respond to excessive, onerous, or stupid
security practices by changing their buying patterns, not just in how
they substitute one class of product for another ("Normally, I'd fly,
but I think I'll take the train to Boston"), but more subtly in how they
swap suppliers within a single product class ("Despite my frequent flyer
status, I'll go with a smaller airline carrier that doesn't have the
huge check-in lines"). 
Indeed, I think that this is so important that convenience will become a
critical brand element in all industries--not just fast food--over the
next year. Along with trust, maybe the critical brand element. 
Moreover, I expect that the real lobbying effort in Washington won't
focus on bailouts, but rather on making sure that government-mandated
security precautions are universally applied across industries and their
close substitutes. Pretty soon you won't be able to purchase a nail file
in a train station, either. 
The key thing to note, here, is that decisions about security, as a
social good, should not be left to technocrats. Your company's brand
already was subject to the actions of your IT organization, and your
partner's IT organization, and your IT suppliers, etc. But delegating
this critical element of the face your company shows to your customers
is a recipe for disaster. Any decision that changes the customer
experience must not be left to your company's--or anyone
else's--security "experts." 
The tech industry is going to respond to the call for new security forms
with some phenomenal stuff. Partly, this is because few industries
historically have been as sensitive to securing business as tech
companies; this experience will be shaped into products and services and
transferred to customers through markets, as it should be. 
But quite frankly, I am afraid that the debate will focus on the
perceived magic of technology; that privacy will be treated as a
disposable asset, when in fact it is a cornerstone of every capitalist
democracy; that few connect the dots between inconvenience and security;
and that excellent brands and highly trustworthy businesses suffer as a
consequence. 
Peter Burris is an industry analyst and Meta Group research fellow.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:57 PST