Being the “Bad Guy”
- Tuesday, September 15, 2009, 15:01
- Legal & Regulatory
- 16 views
Are we in the "no" business?I have to ask that question because of what I sometimes encounter in PCI assessments and even PCI training. I recommend limiting Internet access or restricting access to cardholder data or changing a business process, and I am seen as interfering with some users' perceived ability to do their job. I am, in their mind, in the "no" business.I saw an article in Slate subtitled "Why corporate IT should let us browse any way we want." The author's point is that restrictions such as access to social networking sites or "e-mail and chat programs, dating sites, shopping sites, and news sites like Digg or Reddit (or even Slate)" foster resentment, reduce morale, and are corrosive to creativity. Wow. And I thought I was just protecting the client. Is this guy clueless or am I missing something?I read the Slate piece because of an interesting and very thoughtful post at Security Catalyst responding to it. The thinking is that while you may not agree with the Slate author, you have to admit that he represents what a lot of users -- your users -- are thinking. Instead of just responding with another rant, maybe we need to listen to the objections...really listen. Maybe we ought to take a look at the restrictions to make sure they really make sense. Then, let's educate the users as to why the restrictions exist. Maybe, and this is where we get a little optimistic, we can even convert ...
Read the original story
Thanks for the kind words, and you reiterated my point very well. In addition to what you have to say in the post, I would offer this: As well as educating users about restrictions, and looking for converts, etc., we need to make sure that _we’re_ open to education and “conversion” as well.
That way when we do indeed need to employ something that might seem to be draconian, we have that much more credibility. When you have that credibility, even if education and/or conversion didn’t take hold, you might get a response similar to: “Well, [insert security professional here] is normally pretty considerate, so if [he/she] needs to implement this, it must really be necessary.” That’s definitely not a bad thing.