Getting the security you need

22.10.2013 by Dave Kearns

Lately I’ve been writing a lot about how you should be improving your authentication and authorization. I’ve been haranguing you to get Risk-Based Access Control (RiskBAC) sooner rather than later. There has been some push back.

It’s a truism in IT and security that “technology is easy, it’s the people that are hard.” Well, when moving to RiskBAC, the technology – or its implementation – isn’t easy. So if the technology isn‘t easy what does that say about the people? Darn near impossible, that’s what.

There are, also, two different people problems. The first is users. While we’d like users to understand and embrace any new technology we implement, the truth is that they hate change no matter how much better off they’ll be, no matter how hard we try to sell it. In the end, they’ll go along because they have to, not because they want to. Education is key, but bribery can also be used as this tale about a self-service password reset implementation shows.

Beyond the users, though, comes the real people problem – getting signoff on the budget for the project from the key players in the organization. Everyone needs someone else’s signoff, everyone. Even the CEO needs the board to sign off. Over the 20 years I’ve been doing this I’ve tried to present strategies to get that buy in. One of my favorites revolved around technologies for regulatory compliance. Because some regulations included criminal penalties for non-compliance, the argument I suggested was to present the technology you wanted (or needed) as the best way for the powers-that-be to stay out of jail.

While effective, for the most part, that argument didn’t win many friends in the boardroom.

More recently, when talking about Information Stewardship (see our Advisory Note: From Data Leakage Prevention (DLP) to Information Stewardship), I urged that you compile a clippings folder of the consequences of information leaks in terms of publicity and monetary losses (or even entire corporate losses as in the case of DigiNotar). Again, not something that gets you invited to the weekend outing at the board chairman’s hideaway.

So what can you do?

If you’d thought ahead you would have taken some business courses in college, maybe held out for an MBA or at least taken a course in negotiation strategy. Failing that, let me recommend a couple of books.

Getting to Yes, (1991 edition by Roger Fisher, William L. Ury and Bruce Patton) is subtitled “Negotiating Agreement Without Giving In”. There’s a sort of companion volume, called Getting Past NO (by Ury alone) and subtitled “Negotiating in Difficult Situations” was released in 1991 along with the second edition of Getting to Yes. Both have been perennial listings on the Business Week best-sellers list.

Both involve a negotiating strategy originally developed at Harvard University where Fisher and Ury were members of the Harvard Negotiation Project. Their work on the psychology of negotiation led to the postulating of a method called “principled negotiation,” which they expounded on in the 1981 first edition of Getting To Yes.

Principled negotiation involves five propositions:

  • Separate the people from the problem.
  • Focus on interests, not positions.
  • Invent options for mutual gain.
  • Insist on using objective criteria.
  • Know your BATNA (Best Alternative To Negotiated Agreement)

In other words, make friends, not enemies.

Ten years later, when the second edition  was issued, Ury realized that no matter how well you followed their advice that there would always be those who simply didn’t listen and kept saying “no”. That’s where the second book comes in.

Getting Past NO looks at what comes next in the negotiation process, and specifically talks about:

The book explains in details how to:

  • Have the joint problem-solving mentality together
  • Break the 5 barriers to cooperation: your reaction, their emotion, their position, their dissatisfaction, their power.
  • Prepare, prepare, prepare yourself by identifying/developing:
    • Interests of each side
    • Options
    • Standards
    • BATNA – Best Alternative To a Negotiated Agreement
    • What do you aspire to? What would you be content with? What could you live with?

It is Ury’s underlying thesis that a good negotiation is achieved by 2 negotiators meeting the needs of both – never one more skilled that overpowers the deal. Because if one negotiator overwhelms the other the deal itself is weakened as the loser might not recognize his involvement and his interests in the deal and therefore have no stake in seeing its success.

What’s really needed, of course, are great marketing skills. You need to convince the others in the negotiation that what you’re offering is what they want (not necessarily what they need). Of course, they may not know that what they want is Risk-Based Access Control, but by identifying what it is that they want in Information Security – even if that is only the wish to keep the company’s name out of the newspaper – then you can better form your “pitch” for the technology you know that they need. For a closer look at our thoughts on this see Martin Kuppinger’s keynote from last spring’s European Identity Conference.

Get the books, learn the methods, Get To YES.


  • http://twitter.com/GluuFederation @GluuFederation

    For better security, you need both "tools" and "rules". Risk-Based Access Control is interesting because it provides "tools for rules," which can lead to better governance. Its great to see work being done in this area. However, if I were a CSO right now, my biggest "bang for the buck" to improve security is to upgrade (1) how to authenticate people in my domain (both employees and customers…) and (2) how to publish APIs so apps can use that stronger authentication mechanism. For exmaple, compare the ROI of Risk-Based Access Control, with investing in an OpenID Connect service to publish APIs for strong authentication, as detailed in my blog of "do-it-yourself" two factor authentication: http://www.gluu.co/.icn4 If your plumbing is leaking, you need to fix the pipes before you install pipe-management software!

Services
© 2014 Dave Kearns, KuppingerCole