A man walks into the doctor’s office.
The doctor says: What seems to be the problem?
Man: It hurts when I do this.
Doctor: Well, stop doing that.
Ba-dum bum, pish!
While this may draw a chuckle or a groan or complaints about what universal health care will become, there are some things that this fictional situation doesn’t address. If this was real, there would actually be a diagnosis and then a suggested treatment. And that treatment would depend on what ‘THIS’ is, that the patient is doing. If ‘THIS’ is crucial to life (say lifting his hand to eat) , then the treatment options become necessities and the patient wants to pay for a permanent quality solution. If ‘THIS’ is unnecessary to life (say learning how to throw an atlatl), the answer may actually be stop doing that because it’s not worth the cost of the treatment just to so something the patient doesn’t need or want to do. If ‘THIS’ is an enhancement in life (say throwing a baseball with his kids) then the doctor and patient need to decide which treatments are available, what the effects of each one are, and perform some amount of cost benefit analysis to chose the best one for the patient.
So how does this apply to information security? Well, it’s another way to look at integrating security into an operational environment. Users are constantly requesting new capabilities in the Enterprise or complaining about the lack of functionality of the current capabilities. In this scenario you have the role of one of the doctors on the patients team working with the Ops doctor to diagnose and treat the users pain, their ‘THIS’. The ‘THIS’ for this scenario is the capability the user is asking or complaining about. And you have to find out if ‘THIS’ is required, an enhancement, or unnecessary.
If ‘THIS’ is unnecessary, then you need to be able to politely and firmly (possibly with support from policy [best] or management [hopefully]) deny the user what they want.
If ‘THIS’ is required, then you need to work with your team and with Ops to solve the user’s complaint or request at the most efficient cost in terms of time, money, and resources.
If ‘THIS’ is an enhancement, then you have some work cut out for you. Because now you need to perform some type of cost benefit analysis and provide that to management (and possibly to the user) that will help them make a good decision regarding the implementing the solution for their request or complaint. Will it be the platinum, gold, silver, or bronze implementation? Temporary or permanent? Once those questions are answered, then you can provide a recommended solution, but management must make a decision and communicate that decision to the user as to whether or not their request or complaint will be resolved.
Because sometimes that decision is still: Stop doing that.