Because most IT practitioners aren't "people people" but are the kind of individuals who prefer the company of machines, they are likely to think of the problem as a human one, that if they could just get rid of the users, it could all be perfect. That naïve view, beyond its obvious unattainability, is a fallacy.
It's the systems that are most vulnerable to complexity. The more complex a single piece of software or hardware is, the more likely it is to be flawed and the less likely it is the flaws will be detected before an attack. The greater the number of pieces you try to cobble together to approach absolute security, the more likely it is that the attempt to integrate them will be imperfect and some border between them will offer a seam someone could exploit.
The result, however, of adding security on top of such Rube Goldbergiana is a plaquing up of the information channels that allow users to be productive; that plaque will always slow down and sometimes kill an organization. A chicken that recently came home to roost is an ex-client of mine, a freight forwarder.
The firm suffered a triple-whammy from 9/11. First, its management got very afraid, almost timid, about the external worldthe event triggered a general failure of nerve. They started paying more attention to what might go wrong than how to cope with the inevitable changes to their operations and business model. Second, because of the business they were in, government agencies started paying more attention to the company's transactions, which cost it extra auditing time and effort, all overhead, nothing productive.
The côup de gras, to help allay its fears, the company hired a manager-level fellow as IT's security czar. He was even more driven by anxiety than the executive team, and was hyper-energetic and very ambitious. These personality factors spun together to make for a perfect spit-storm. While he was tireless in devising procedures that slowed down network log-on and restricted access to data except when signed off on by a note from the worker's mother, he was larding up the network with new products, security patches and an attempted overseas outsourcing of his help desk to try to pay for all the new techno-binky purchases he hoped would ease his anxiety.
His actions inevitably added overhead (time, energy, cash), and that inevitably degraded productivity. The declining economy undercut the company's gross revenues at the same time, a perfectly fatal recipe.
Like a car owner who welds his sedan's doors shut and epoxies his windows in their frames, the company became a possession no one can highjack but can't be legitimately used either. The close to perfectly secured company shut its doors for good by late 2002.
But wait, there's more
Social, human factors, the way end users work within the over-secured system, present another set of overhead factors that diminish the ability to weather excessively locked-down environments. I'll explore that next time and give you a tool that can be of some use when you're confronting superfluous security silliness.
No need to weld those car doors when for $40 you could buy The Club.
Read part 2 of this article to see How Fear Impedes Security.