Most security solutions are a trade-off of ease-of-use versus security. As computer security measures grow in importance, previously uninterrupted legitimate processes get reined in or stopped altogether -- like my recommendation of not allowing non-admin users to install software without management approval. As companies grow more valuable, they are willing to accept higher levels of default security as measured against legitimate needs.
In my experience, most companies’ position on computer security goes through a series of evolving steps that I can only equate to Maslow’s Hierarchy of Needs from basic safety to self-actualization. All IT processes go through this sort of trending, truth be told.
A related example is how a company ends up forming a help desk team. When the company is small, it has just one IT person. As it grows, another person or two is added. Usually at this stage, employees know to contact the first IT guy (the IT manager), who triages the call and assigns it to a team member. As the company grows, more IT employees join the department.
Pretty soon, the company’s employees have each of the IT members' personal cell phone numbers (used to be pagers) and call them at will. Each IT employee is running off here and there based upon the whims of the employees, with little thought to efficiency.
Eventually, somebody figures that all the incoming calls should go to a common number so a triage decision can be made, and a centralized help desk is born. A little thought and planning ends up saving the company time and money, and makes the help function more efficient.
The same thing happens in computer security. Some companies, like a law office I visited last week, don’t have a clue. They are running a workgroup network full of Windows 95 computers with no log-ons, no anti-virus, no patches, and no firewall. Clearly a disaster already in progress.
But to be frank, that company and others like it aren’t ready to listen to my spiel about all the current security risks and how I’m going to make their network perfect. It was all I could do to convince them that it would be nice if a law office holding lots of confidential client information required log-ons to get access to internal data and installed an Internet firewall.
And that's where Grimes’ Hierarchy of Security Needs comes into play. Whenever I enter a company for the first time, I quickly try to measure its computer security maturity. Often I can do this in a few minutes. Mentally, I’ve classified them into five stages, much like Maslow’s Hierarchy of Needs, based on their approach to security.
In Stage One, no one thinks about computer security at all. Passwords are short and shared log-ons are common, no firewalls are installed, and the only anti-virus software they have came preinstalled on some new machines (and hasn’t been updated since). Nothing is encrypted or authenticated. Infected and compromised machines are so common that most employees keep using them even when they know they have problems.