Profitable Companies Don’t Succeed by Sharing, They Succeed by Locking Up Crown Jewels
Written by Richard Boyer, Chief Security Architect, NTT i3
Rich’s Rules of Security #2
Don’t believe that your company’s internal business processes are about sharing. The reality is that your company is probably still in business because information is confined to a small group of stakeholders. And most likely, some product derived from that data was created and sold. It’s true, and you know it.
Twitter, Facebook, and even your neighborhood public library haven’t succeeded because they share. They succeeded because they locked things up. And what many of us typically think about sharing is not, in fact, sharing. Rather, when a company gives away something in an open manner, they do it because they expect to get something back, or they kept something, more valuable, locked up. You, too, probably do this, without even thinking about it.
For example, Twitter and Facebook’s “something valuable” are access to the detailed databases about their users, their interests and habits — and it is this valuable information they sell to their advertisers. And sorry to burst the bubble, but Twitter and Facebook aren’t free. They are extraordinarily expensive to their customers. Their customers are not the Facebook users and the tweeters using the service, but rather, the global consumer brands and companies trying to reach the people who tweet and post. These individuals are the valuable merchandise, and both companies spend enormous time and effort keeping that access locked up… so that they can sell access to that data to the highest bidder.
This same scenario applies to your local public library. They share books to members of the local community, but those of us who use the library are not the customer. The customer is the government agency that funds the library. The product is ensuring that books are available for loan, under certain rules. And unless you subscribe to the correct rules (e.g. have a library card), the books are locked up. And when too many people take books without permission, the library changes the rules. For example, my local library has all their books tagged with asset tags and detectors to alert the library staff when books are removed. Why? Because if libraries do not keep their books locked up and controlled, they do not get paid by whoever is funding them.
All this especially is true for the corporate infrastructure we all live in. Any successful company keeps their “crown jewels” safeguarded, be that source code, buildings, production lines, intellectual property, engineering diagrams, or institutional knowledge. Ultimately, they receive a fee to release some product based on that locked up information and the value it produces, be that physical products, virtual products, knowledge or other monetization mechanisms.
Unfortunately, this also means that not every employee is entitled to share his or her company knowledge. In fact, within most organizations, keeping siloes protects the company. And even within organizations that promote an environment where information is freely exchanged, the really important stuff is locked up and only accessible to a few key stakeholders, who are typically in the C-Suite or have been delegated responsibility for access.
Knowing this, we need to examine the security implications of the sharing culture. Security is responsible for three key tasks — two of which seem asymmetrically and dangerously at odds with one another. First, security must ensure that access to a company’s crown jewels is limited to a select group of individuals, not everyone at large. Next, security needs to facilitate the exchange of “everything else.” And lastly, security needs to control the influx and outflux of data and changes to the crown jewels.
Unfortunately, doing any of the above tasks tends to span a wide gamut in most companies. For example, organizational security focuses on locking up the jewels, but in most cases, they are lacking control of the influx and outflux of data as that is controlled by functional business units. Additionally, when most companies work hard at sharing, they tend to lose sight of security’s other key tasks such as ensuring minimal access to important data (and determining which data is in fact “important”). Instead, they allow a company’s best data and resources to be managed in a fuzzy security model, where individuals frequently do not understand the implications of sharing manage data exchanges.
For example, a database is highly secured and access limited to just a few, but those few with access create reports and email themselves to their personal email. Engineering code is never locked down and tracked, and dozens of people walk away with it. Suppliers and third parties have direct access to sensitive materials without being restricted to an absolute minimum, need to know status. And worst of all, all this occurs not because people are trying to do the wrong thing, but rather, because they have not been taught otherwise.
Is there a solution? The answer depends on each organization — how much time and how many resources are they willing to commit to keep their business safe? Ultimately, it comes down to putting the processes and controls in place that limit access, and spending the time and effort needed to manage the repercussions of those process. And while these processes can be messy and difficult in the beginning, people have and must learn to manage them.