Risk is a funny thing. Take, for example, these Giant Arsonist Snowman Snowglobes:

Some 7,000 jumbo-sized snow globes were recalled by Hallmark Cards Inc. because the holiday decorations can act as a magnifying glass when exposed to sunlight and ignite nearby combustible materials, the U.S. Consumer Product Safety Commission said on Tuesday.
…
The consumer agency said Hallmark has received two reports of the snow globes igniting nearby materials but no injuries have been reported.

In the past two months, there’s a one in 3,500 chance that your ginormous snowglobe will focus enough sunlight to burn your house down. That’s not quite twice the likelihood of dying in a car accident in any given year.

The National Safety Council lists one year and lifetime odds of dying by a multitude of causes for people in the United States.

Handy for the next time you need some comparative likelihoods.

I’m somehow surprised that I totally missed the announcement of a DLP partnership between Microsoft and EMC.

Bob had seen it, but his response was a yawn: “I saw it but the results from the work are a couple of years out so I ignored it. Maybe it will come sooner, but I do not trust that it will work beyond the MS world for years to come.”

The more I think about it, though, the more I see that all it does is provide yet another example of how hard it is to keep things under control in a large corporation. I’ll start with a quote from Rich Mogull’s generally excellent analysis,

One of the biggest obstacles to a successful DLP deployment can be a poor directory infrastructure. If you don’t know what users have what roles, it’s awfully hard to create content-based policies that are enforced based on users and roles.”

Let’s be honest. Most large corporations can’t even begin to do that. At best, we know which Business Unit most of our employees generally work with. Take me as a case-in-point. I work for the CSO, who in turn works for the CFO, but I do half my work with IT, half with the Business Units, and half with the Security Group (yes, that’s three halves. I’m bad about 60 hour weeks).

So even if we could do this in theory, the reality is that this is as much a political as a technical or management problem. For example, when sales and marketing can’t agree who should be allowed to show sensitive information to customers, things tend to either be designed to fail open or get killed before they happen at all.

So now we’re left with an exception process that either subverts the goal of the control (indicating controls in excess of actual risk tolerances) or a huge cost center to manage and provision those exceptions, in which case the cost of the control makes it a target for cutting until we’re left with the former problem.

Second, given how much of our information no longer even pretends to live on systems we control, it would have to integrate with third parties, all of whom would need to be compliant. I suspect that even Wal-mart, legendary for their iron grip on their partners and suppliers, would struggle with this one.

Those third parties would have to have both the ability and the willingness to implement their technology to match “our” specifications, which probably aren’t their other customers’ specifications, and it all spirals downhill from there.

I’ll be honest. We struggle to get third parties to implement basic network-level controls or follow patching regimens (which, come to think of it, can we often can’t do so ourselves). What chance do we have of getting them to adopt a significant systems integration project which will require them to “open the kimono” to us regarding their own internal business processes and organizational structures?

Finally, given that the IT infrastructure, despite all efforts at “standardization” (which is what an IT person says when they really mean “monoculture”) is still a fragmented mess of platforms, vendors, and versions.

So what we have is something that sounds great in theory, but in more of a Platonic Ideal of secure information flow than anything that realistically accurately describes the messy reality of how information is created, used and distributed across the modern corporate world.

And, despite claims to the contrary, my experiences dealing with The Business–the non-IT people who actually conceive, make and sell things–that’s at least partially by design.

That’s not to say that all hope is lost, nor that this isn’t valuable and useful technology. But it’s like anything other tool–it has a time and a place, and things may get broken if used otherwise.

I have an interesting example of Policy actually making things worse for you all today. It’s not horrible, but it illustrates the point and I can talk about it, so I will.

Today someone asked me if I knew that one of the floors of a facility I visit from time to time is a “No Visitors” area. This is due to the fact that the marketing teams have product prototypes as well as all of their collateral and other materials displayed or in-progress on this floor. I had to confess that I did not realize that. Even worse, most of the people who don’t reside in the “No Visitors” zone, as well as some who do, also don’t seem to be aware of that fact.

Enforcement is, as you would imagine, non-existent. That would be rude, after all.

To make matters worse, not only is there is no access control (doors or guards), signage or other markings telling people that this floor is off-limits to visitors, but the canteen which is open longer hours than the main cafeteria (for coffee, snacks, etc.) is located on this floor. As a result, there’s a steady stream of people who, even if they are employees, really have no business wandering around this floor doing so at any given time.

So we have a situation where the people who need to display confidential information do so, safe behind the warm fuzzy blanket of their “No Visitors” policy. Everyone else wanders around their area in blissful ignorance that they shouldn’t bring their visitors through there on the way to the canteen.

And I get to clean up more messes. Happy almost-Friday!

It doesn’t matter if you get the right answer or not unless you ask the right question.

Paul Krugman explains this concept scarily well using Friday’s unemployment reports.

Or, to quote myself, “it is entirely possible to be both absolutely accurate and utterly wrong.“

Sunday’s Dilbert:

Don’t try this at work. Remember, kids, we’re trained professionals–and most of the time, even we don’t get it right (or so we’re told).

This is something of an aside, but I’m trying to hire an investigations and forensics person.

This person should have experience not just performing forensic data collection, but also scoping and carrying out investigations into abuse and disclosure of sensitive corporate information within (and beyond) a large corporation.

The job is located in the Northern suburbs of Chicago and will be focused on supporting the Law Department’s Office of Ethics and Compliance in responding to Intellectual Property leaks. Experience with both internal as well as external investigations is highly desirable. Experience with diverse technologies, operating systems, applications, etc. is highly desired. A high comfort level dealing with applications, network protocols, Internet geography, etc. is also highly desirable. Literacy in multiple languages, especially Russian or Chinese would be a strong plus, as well.

Drop me a line to the last word of this blog’s title at this blog’s domain if this sounds like something that you might be interested in. No, it’s not a google-grade recruiting puzzle, but you should be able to figure it out if you’re someone whom we would want to talk to.

No recruiters, please–We have internal people for that sort of work and I can’t work with them under any circumstances, so please don’t waste both our time.