Getting Past "The Way We Have Always Done It"

Change is hard.  There is no getting around it.    How often is adoption of a better way of doing things blocked because people do not want to step out of their comfort zone and would rather wait for a catastrophic event to jog them into action? Every one of us has at some time or the other taken the easier road, knowing that the other, possibly better option, requires more work and a level of risk that we are leery to take.

Information security offers some great illustrative examples of this attitude. 

An Information Security team was looking to roll out a multifactor authentication solution for a business critical application.  The goal was to have users (under certain high risk conditions) answer security questions or enter an authorization code sent to their cell phones.  Since the initiative was launched as a result of audit findings, the assumption was that it would be easy to push through.  Wrong assumption, as it turns out.  While everyone agreed on the vulnerability, any attempt to address it was strongly rebuffed.  The application administrators were adamant that they were too swamped dealing with day to day operations to find the bandwidth or resources to roll out anything new, even if it meant better security controls.  The business felt that users would be confused if they were asked to do anything more than entering a username and password.  The Information Security team was unable to translate the very real risks identified in the audit reports into something that got executive backing. Management did not want to upset the applecart, the application belonged to the organization’s largest revenue generation division; final outcome: everything remained in it’s far from ideal status quo until the threat was realized and the application was hacked.  At this point a huge amount of time and money was spent on finger pointing and tactical fixing!

Sound familiar?  To find out what kind of person you are, read the case study below and answer the questions that follow:

Customers commonly raise the following issues when discussing identity and access management solutions:

  • Disparate islands of  identity and access management solutions distributed within the organizational enterprise, each with its own silo of features and underlying technologies    

  • no mechanism to proactively identify issues in the infrastructure or applications; users have to call in before administrators become aware of inability to login, failed accesses etc.

  • solving issues requires  going to multiple documents, vendor websites, logging into different consoles and it all takes a lot of time and effort

  • business teams see these solutions as an overhead that slows everything down, rather than an enabler so getting additional resources or solutions is almost impossible

Solution ABC offers a collective dashboard view of the entire identity and access environment to allow for proactive management.  It is definitely the first of its kind and you are part of a team that is evaluating its value.

  1. As an operational administrator that manages the IAM infrastructure, would  you prefer to see IAM servers where CPU, memory and storage are maxing out

    1. Before they crash so you can address the problems?

    2. After the crash, so everyone acknowledges your ability to fight fires?

  2. As a security administrator would you like to:

    1. Be forewarned of a growing number of attacks on your web proxies?

    2. Bury your head in the sand and wait for the fateful call that you have been hacked?

  3. As a manager of these solutions would you rather:

    1. Have comprehensive reports that quantify the productivity of your teams?

    2. Set everyone scrambling through logs and audit trails and burn the midnight oil collating everything, when management requests justification? 

  4. In general do you think it’s better:

    1. To identify the need for additional servers and resources based on metrics and trends?

    2.  Wait till your solutions grind to a halt so it is amply clear that you need more resources?

If you selected a majority of Option “a”s you are the kind of person who typically looks for ways to solve problems proactively and you are not deterred by the lack of existing solutions or processes.  You will most likely recommend purchasing Solution ABC.

If you chose more of the Option “b”s, then you are more or a reactive person who likes to wait for problems to occur. You also enjoy the spotlight and pressure that comes when fighting fires.  Solution ABC would not be high on your radar of things to buy.

While it may seem reasonable to take the less disruptive approach now and again, it is important to avoid making a habit of it.  My consistent advice when faced with something new is to weigh the value/risk the solution brings against the weight of the problem set being addressed.  Make decisions based on strategic outcomes rather than pesky short term irritants. Anything new brings with it the need for education and new ways of doing things.  But if longer term it increases efficiency and optimizes people’s time then make the hard decision and go for change.

P.S: If you like the sound of Solution ABC, check out the following video:,Inc.