Saturday, April 2, 2011

Multiplicity, Diversity, Security, and Great Companies

What is America’s greatest cultural asset? Well, there are many things you might cite: There’s the free market (though many might argue that the free market is a very good idea and America really should try it some time).
There’s also democracy (and we do indeed have the best democracy money can buy … we also seem to be hell-bent on exporting democracy with an impressive military zeal).
Nope, the thing that I think many more people would cite as our greatest cultural asset is diversity.
We have multiple ethnicities, multiple political views, multiple religions, and multiple subcultures … we have multiple everything! We have a multiplicity of multiples!
So why, pray tell, do we appear to think that corporate information technology monocultures, particularly where security is concerned, are a good idea?
I ask because what is it that every security vendor wants you to do? They want you to pick them and no one else … and many companies buy into this idea which would be fine if the security companies were infallible … but they most obviously aren’t.
Look at the crop of security FAILs over the last few weeks: RSA, McAfee, Comodo … the latter, in particular, had the potential to really foul things up on what can only be described as a biblical scale.
So, take a good, long look at your organization and try to figure out at how many points in your infrastructure could the failure of one vendor’s products cause major problems? And at how many of those potential failure points is there actually only a single vendor? If that vendor were to disappear, which company would be the replacement and how long would it take to rip out the old and install the new?


This is the discipline of risk assessment and it’s usually pitched as something that only an expert can do. While it’s true that a really in-depth, detailed risk assessment is indeed an expert task you, yes, Mr. CxO or you, Mr. line-of-business manager, can do a first pass approximation before your call in the high-priced guys who will borrow your pen to write you an invoice.
What your snapshot analysis will tell you are three things: What your processes really look like now (you probably think of your processes as you saw them six months or a year ago) and how they really function as well as what are the big, obvious things that you should be aware of.
And you know what? When the expert gives you her report you might even be able to spot what they missed, after all, it’s your business.
And when your analysis is done, consider whether the diversity you currently have is enough for your business to survive when things go sideways; when vendors screw up or go out of business, or when hackers find a new vulnerability in the products and services you use, or when your own people screw up and leave the digital doors wide open; do you have a replacement and a second line of defense?
Great companies, like great nations, need diversity if they are going to survive in the long term.

No comments:

Post a Comment