“Hi. I’m Al. I work in IT Security. My job is to suck the fun out of life.”
That was how the instructor of one of the first security training courses I attended introduced himself. The introduction resulted in an eruption of laughter. Sadly, later in our careers many of us realized Al might not have been joking. But the rise of the application economy presents us with a tremendous opportunity to change that.
The consumerization “movement” has been prevalent for years, and the consumers won. Customers now demand engaging experiences that catch them in the moment. The technology necessary to create those amazing experiences is available today. Though even a simple discussion of such apps can cause tension between IT, Security, and line of business teams. Consider the following example.
An app creates an emotional connection
You are visiting the Empire State Building in New York City at 4:00 PM. Unknown to you, your favorite band is performing at Madison Square Garden at 7:00 PM. As you exit the building your smartphone comes to life. “Hey, George! The Wiggles are playing just three blocks from you at 7:00 this evening. Would you like to go?” You tap the “Yes” icon so hard you almost break your fingers. After a quick dinner you arrive at the venue and see a massive line-up. You bypass the line and enter through a turnstile that senses your mobile phone and turns green as you pass. The app directs you to your seat where someone delivers the concessions you ordered earlier. As the curtain rises you think “this is awesome!” You start to build an emotional connection with that brand.
Simple apps, complex systems
That all sounds great, but there is a lot going on behind the scenes. The app is taking advantage of on-device sensing, it is likely cloud driven, it leverages analytics – perhaps big data technology, and it is completing orders on a back end system that may reside on a mainframe. But what a service! Then, just as you finish drawing your application architecture on the whiteboard, the door opens and you hear, “Hi. I’m Al.”
Al continues, “That data is too sensitive for a mobile app, and there’s much more data there than you need – and what you don’t need is even more sensitive than what you do need. If you want to even think about an app like this…” As you hear the rest of the oxygen rush out of the room Al describes an 18 month, million dollar-plus update that will never happen. But it doesn’t have to be that way.
While security should be a concern, it is not a reason to stop innovating. It can even be an innovation catalyst. For example, combined with modern architectures, modern API security tools can enable the creation of applications like the one in our example without the extremely risky, often very costly changes that would otherwise be required on the back end; and even reduce delivery times by weeks, months, or more.
Just Say No to “No”
Technology alone cannot solve this problem. The application economy demands we change our approach from “Why shouldn’t we do this?” – what my colleague Mike Denning calls “the security of NO” — to “How could we make this happen (…safely, more efficiently)?” Mike calls the latter “the security of “KNOW.” That’s a great way to think about it. Once we change our mindset, we can demonstrate just how much a security team can drive new services and innovation in the application economy. In the application economy the security team can, and must, become innovation and customer experience enablers. So, just say no to “No,” and use what you “KNOW” to become an innovation catalyst.