Why do we need Information Management

    I am guessing most of the readers of this blog are in the University of Washington’s Masters of Science in Information Management (MSIM) program.  For those that aren’t, the MSIM program focuses on connecting Technology, People and Information.  I am sure you have heard the statistics about how much information is out there.  With the advancement of the internet, we have caused the amount of information in the world to explode.  All of this is well and good but the problem arises when you try to make sense of the information.  I was watching a TED talk recently that was basically an overview of what the MSIM program is without meaning to.  The talk is given by Thomas Goetz and it focuses on two things, first the use of fear to accomplish things and secondly the idea that more medical problems could be solved not by better medicine but by better information presentation. 

     As a security professional the  idea that fear wasn’t the best way to relay information was something that I hadn’t considered before.  If you have heard any sort of talk in regards to Computer Security you have heard that a hacker can steal you identity, your bank account and with a little effort your first-born.  Okay so I am exaggerating a little but every talk I have given or heard about Computer Security has been about the negative effects of not securing your network.  Then after giving presentations about how there is never a secure system they wonder why executives haven’t approved their expanded budgets.  I believe we, as security  professionals, are going about this all wrong.  Instead of focusing on how impossible security is, we need to start focusing on how we can make the network better overall with the enhancements that security brings.  In this realm I have found that UX people do a good job for the most part.  When they make a presentation about a new website design they don’t sit there and say how little traffic and how confusing the current User Interface (UI) is and then sit down. They quickly go over part of the problems the current UI and then go on to show how well their UI will work and what it can bring to the table.  Now this might just be an issue for Security professionals but I have a feeling it isn’t.  Overall, as professionals, we need to focus on the idea that has been thrown around this blog, and that is the Value Added principle.  Focus on what value you are going to add to the company and how much it will help in the short and long-term. 

     Now as a final statement, this doesn’t only apply to people working.  If you are looking for a job focus on what you can do for the company.  If you can get the other person even a little bit excited about what you could do for them or the potential you have to help their company you will stay in their mind.  And believe me the more good things you give the interviewer to remember you by the better. 

     Now I realize that this may not be new to most  of you but I found the talk incredibly interesting.  I have a link to it below in case anyone is interested.  What are you thoughts?  Is it better to go all positive?  Are there any drawbacks of only focusing on the Positive? Or is it better to talk about a combination of fear and potential?

Too many TLA’s

I had a teacher once say that IT is riddled with TLA’s (Three Letter Acronyms).  He thought it was hilarious.  It wasn’t until I started really looking into IT and security especially that I realized he was right.  In the realm of technology there are some acronyms that most people know HTTP, IP, and PC and so on, but when you add Security it turns into something you would expect in your alphabet soup.  PCI-DSS, SOX, FISMA, ISO, HIPAA, HITECH, UDP, TCP, CERT, IR, XSS, CSRF, PWN, IPSEC, SSCADA, and the list goes on.  I am sure that you could guess some of them but the first six are probably the most debated.  Payment Card Industry – Digital Security Standards (PCI-DSS), Sarbanes-Oxley (SOX), Federal Information Security Management Act (FISMA), International Organization for Standardization (ISO, don’t ask it doesn’t make sense to me either), Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health are some of the security standards that businesses have to worry about.

Aside from these are any internal audits that companies have to pass.  Many times all this adds up to one thing, confusion.  Take a company that handles their employee’s healthcare records as well as having a federal contract while being a publicly traded company.  This company has to deal with parts of HIPAA and HITECH as well as FISMA and SOX.  You would think that these standards would correlate and go hand in hand but they were all developed independently so they have different requirements.  This is where Security Professionals are the most challenged.  Whether they are securing their network or auditing a network using these standards, there is a challenge.

Most often what happens is that a company that is trying to meet the requirements of these standards does one of two things, they either do the bare minimum to meet the requirements right before the deadline or they essential put everything behind Security and do things that will make the company more secure from their point of view but do so at the cost of usability.  Now I have written about how usability and security need to go hand in hand so that isn’t the angle I want to take right now.

My main focus is that when companies think they have to choose between security and usability it creates not only a hard time for users but it creates a situation where users do things in order to  get  around the security measures, thereby creating security holes that weren’t accounted for.  Such examples of this are writing down passwords and usernames, saving usernames and passwords on the browsers, saving documents on a USB drive, and trusting links that may not be legit.  While this can be solved with good user training there is no need to put that burden on the users, especially when if a company is compromised because of the workarounds the company still ends up paying the fine which can amount to millions of dollars.

Basically my suggestion is for all companies to stop looking at security servers and networks and start securing Information.  That way it leads to looking at the data they are securing and not what is holding it.  This might force them to walk through what users are going to do once their applications and network is set up and working.  Hopefully this will allow them to start truly incorporating both usability and security into their business.

As a side note, if you are interested in the true cost of a security breach there is a research project that I was a part of a few years ago that was presented at a conference.  The video is kind of poor quality but the information is valid.  I didn’t present it but did work on the external costs, those aside from any possible fine that is part of a security breach. http://vimeo.com/5384048

A reflection on the power of UX

“The user is not like you.”

This is an essential mantra when designing user experience (UX) for technology-based tools, marketing strategies, and information retrieval systems. As students of information management, my iSchool cohort members and I have had to unlearn our own instincts for the purpose of better listening to users. Unless we do so, any new system or tool we design may not add sufficient value for the intended users.

In an important contribution to thinking about UX strategy, Samantha Starmer (a lecturer at the UW iSchool and senior manager at REI for information architecture and customer experience) has Tweetedblogged, and presented about offering a holistic user experience. Since an enterprise may reach users through online, mobile, and in-person delivery systems, Ms. Starmer urges designers to think about all of the touch points in user experience. From my own experience, and from what I have so far learned about content strategy and UX, the standard processes for configuring a comprehensive UX strategy include:

  • Understanding the enterprise business model and customer service objectives;
  • Discovering how users find and interact with existing services (each platform is different!);
  • Formulating and delivering a consistent message and level of service for each platform;
  • Analyzing transaction data to grasp weak points in each delivery model.

Coupling good UX with a strong service model can lead to an undeniably powerful experience: I was fascinated by a friend’s blog post to this effect. My friend, Mary, works at a community library to assist job seekers in the Boston area. She spends a great deal of time helping people with online job applications, most often for entry-level positions. Many of the people Mary assists are not native English speakers and few have advanced computer skills. One of her recent blog entries told the story of an online application that was more user-friendly than any she had previously encountered (I would encourage reading the entire post here).

In purely heuristic terms, Mary liked the plain language of the application questions. In addition, she appreciated the feedback from the system, informing the job applicant how much further he had to go with the questions. Small details – an encouraging system-generated message, a friendly take on the drudgery that is an online form – inspired Mary to deem the experience “thoughtful, humane, [and] generous.” These are impressive adjectives. They are also a compelling reminder that designing and implementing UX strategies successfully can garner the trust, and even loyalty, of target users.

Given that UX can have such a powerful effect on a user’s perception of an enterprise, I began to wonder whether there are situations in which offering a “humane” experience is more important than others, depending on the enterprise or user task  at hand. Although a seamless, well-executed UX strategy should be the goal of every user interaction tool, the reality is that most service delivery teams are forced to prioritize projects and enhancements based on limited resources.

How should an organization’s management determine its hierarchy of UX needs? And are there customer service situations where UX is more critical than others (such as complaints in service errors or product recalls)? Is UX more critical to certain organizational missions (e.g., disaster relief, child welfare organizations)? I welcome any insights on these questions – or any other thoughts on UX – in the comments.

Security Vs. Usability ?

In the security blogs and conversations I have watched most security people are constantly fighting usability or trying to get people to focus on security rather than usability.  I believe this is idea is holding back security from progressing farther and faster than it could.  This is also stopping some very impressive security controls from being developed and in many cases may stop companies from implementing the necessary security controls.

I was speaking with someone who had recently presented at a security conference.  He told me that there were multiple presentations where the first 5 slides were purely theory and 90% text. In that atmosphere you are going to lose a vast majority of your audience, even if they were originally interested in the project.  In contrast, tonight I was at a Masters Thesis presentation.  These presentations were about things ranging from User Experience, Supply Chain Management, Security and other Information Management topics.  Having previously heard presentations about all of these projects I was amazed at how each project brought it down to the user level and why it was important.  After thinking about it, I realized that is what is missing from Security and Usability.  People spend all their time trying to do more with security or usability at the expense of the other.  I believe that if Security people spent more time thinking about how to make security usable as well as secure companies would buy into security faster than they do now.

While I believe that much of the problem does lie with the security professionals, I also believe that this problem could be made easier if more User Design/User Experience people could help with this problem by actively incorporated security people while designing things.  If security and design work together more you would have better applications/networks and less applications like one I have to use that requires a 21 character password with at least 2 uppercase characters and 2 numbers and 2 non-alphanumeric characters.

As I am not a full-time security person and I don’t pretend to be a User Design/UX person I early await your thoughts.  Do you think that applications, or other computer related things can be made secure and usable or is it a hopeless cause?