My Grandmother was wise. She asked me the question back on 25th December 1984. "What does it do?"
After lunch on Christmas day like many other twelve year olds I was keen to share my excitement of the amazing things I could do with my computer. My poor old Grandmother patiently sat through a twenty minute demo of my computer. It seems bizarre looking back but I was most enthusiastic about a drawing program that required the most obtuse key combinations to manipulate the various tools and functions. My computer was an Atari 600 XL with a 1.79 Mhz CPU and a whole 16Kb of RAM - clearly a monster!
My Gran was as patient as she was wise. Having smiled and nodded though my "presentation" she simply asked "what does it do?". I wondered whether she'd somehow mastered the ability of simultaneously dropping off to sleep AND looking interested! There was a long pause and then I realised what she meant. My computer didn't have a printer as they were way out of my price range. It wasn't connected to any kind of network - home computers simply weren't capable of doing so and there wasn't an "internet" to connect to!
My computer was simply an intellectually interesting hobby.
You may wonder why I've shared this story with you but it has helped me many times to consider the prime reason I'm engaged in a whole range of activities.
Think about information security in this context. Most users simply don't understand WHY the security team mandate various processes and procedures. We all to often speak an alien language to "everyday folk". It's imperitive that we consider the perspectives of those who are not specialised in the subject and translate into their language.
Think about many of the complex infrastructure projects you've worked on. How many of them were far more complex than they actually needed to be? At what point did your efforts cease to be worthwhile?
We should all be able to clearly answer the "What does it do" question in a clear and concise manner. Complexity is often the enemy of security. Elegant solutions usually win.
You may be wondering "What about IPSec?" "what about NAP?" they are both complex technologies. You are of course correct though their use CAN obviate the need to implement countless other security controls. Going crazy with IPSec and choosing to encrypt everything is generally a bad idea due to the loss of ability to inspect traffic.
Here's a closing thought - I worked as a consultant with a company who had implemented five different firewalls back to back in the belief that each would compensate for weaknesses in the others. Were they more secure? My view is "NO" as no one individual understood how to properly configure more than a couple of the implementations. Troubleshooting problems was a nightmare too.
Very true; the physicist Richard Feyman once observed that if you couldn't explain something in physics to an audience of freshman in a one-hour lecture then it wasn't properly understood.
A similar principle probably applies to infosec. In my experience explaining "why" is often very valuable as it also helps the end user understand the importance. The trick is doing so before their eyes glaze over :-)
Nik> Absolutely. I worked with a sales guy who insisted on a single page "why this product is worth the money" for everything he sold. It focussed the mind