Protecting the organization's ability to execute on its mission, this should be the driver for security controls. At the same time I was giving that message, a series of events re-enforced the need for focus.
Here is the tale. The back story of my GrrCon talk. It is a tale of six notebooks. It is a tale of six security pros. And it is a tale of security being out of sync with mission.
Notebook one. My help desk provided me with a travel notebook, which I loaded up with my slide deck. I also made a copy on USB flash drive just in case. At the last minute, I decided to leave the notebook at the hotel room. After all, I thought, this was a hacker con. Did I want to expose the notebook to that risk? No, I decided, and opted for a little physical security.
Notebook two. Notebook two turned out to not be a notebook at all. See, the conferences that I have spoken at provided a notebook loaded with slides at the podium. I arrived early, checked the room, tried the mic and the notebook. Looked good, I thought. I later learned that the con had not provided notebooks. Why? “Um, Wolf, this is a hacker con.” Right. Physical security.
Notebook three. Turns out that what I thought was a con provided notebook was actually the speaker before me. She packed up, and I realized the mistake. Too late to return to the hotel now. I was on deck.
Notebook four. Infosec_Rogue and the #misec crew came to my rescue. Infosec_Rogue could not read my USB drive, of course, because his OS was locked down. (Good method of avoiding USB malware, btw. I lock USB down on all my Windows 7/2008 computers.) So we passed to the next notebook. OS security.
By this point, I had started in on my presentation. I apologize for not catching the names of the other folks that pitched in.
Notebook five. The fellow could read and copy my slides. Being a reasonably paranoid security guy, however, his Open Office was locked down. We have the slides! But we cannot show the slides. App security.
Notebook six. Copying the files from notebook five to a USB drive that could be read on notebook six, we were able to get the slides onto a computer with Office 2007. Bingo. We are in business. About a third of the way into my deck, my slides caught up with me. Score!
It was a funny but powerful reminder. The control environment: physical security; OS security by means of driver lock-down; application security by means of locking down Open Office. The impact to the mission: I gave a third of my talk with no slides. This was a talk on gearing security controls to the organization's mission. Hmm, irony, much?
When I get back to the office, I am taking a hard look for security controls that get in the way of people getting their work done.
Once again, thank you to the #misec crew for helping me out. You guys rock.