Steve Riley, a Microsoft Security strategist, spoke today about balancing security concerns against usability and cost. Steve is an excellent speaker and made some great points about what is basically risk assessment/management.
Steve’s focus on economics and on rephrasing all security questions as economic questions reminds me a whole lot about usability discussions over the past decade or so. Security, Performance, and Usability share the characteristic of being basically not-interesting. They are assumed and only considered when they are absent. No one buys a product because it is secure, performs well, or is usable UNLESS that is not the standard in the category and then that is just an indication of an immature product category. The trio of Security, Performance, and Usability plays the role of the base-guitar of any product. It lays the foundation for a great user experience, but it does not make up a product.
In his 1994 book “Usability Engineering” Jakob Nielsen spends a long time on ROI, talking the language of the C-level folks and so on. Same path as Steve is walking with security now. And I believe the future for at least Security and Usability will also share many characteristics. Usability went from after the fact quality control to a design discipline and is making its inroads into product definition and strategic asset. In other words, Usability as a discipline has moved from cost center to primary value generator.
Some of the talks I have seen here at TechEd leads me to believe that Security could take a similar role. Security is not about fiddling with settings, but about making IT behave in a way that gives the business a competitive edge. If for instance the IT department can demolish the stupid wall between inside the firewall vs. outside the firewall and give all employees access to company resources regardless of location or computer, then a major hurdle will have been removed for when & where to work and will ultimately make the company more competitive and productive. If security can enable this scenario, then that is a strategic business initiative, not some after the fact patch update or firefighting.