The “P” Word--- “Policy”

I had the opportunity this week to attend the RSA show and I wanted to share some thoughts from the week.

First, the funniest moment of the week came with Scott McNealy’s keynote when he invited Bill Gates to go hunting. That was timely, bordering-on-inappropriate-yet-hilarious humor. When I got home late last night I told my husband the story and he quipped, “Yeah, what’s the fine for shooting lawyers out of season?” I got another good chuckle out of that.

Yesterday I was talking to Eric Leach from Sun (Eric runs our access management and federation product line) and, as often happens when I talk to Eric, he managed to say a lot in a few words. Eric said, “as I walk around the RSA show, three words are constantly being used (or overused): policy, compliance and automation.” We joked that it was like a mystical chant running across the conference floor, hypnotizing people with the melodic chant of “policy, compliance, automation…, policy, compliance, automation…” luring potential customers into the booths with promises of salvation.

Eric’s right. Those words were everywhere and it got me to thinking and wanting to make a plea.

The “P” word is policy. It’s become a bad word in that the word “policy” in the technology arena has so many meanings that it has actually become meaningless. “Policy” means a lot of things, all of them ultimately in a business, and often, security context. A policy can be on data protection, a policy can be on access control in the platform or application, a policy can be in a dusty three-ring binder that no one ever uses, a policy can be made in response to a law or regulation. Sun’s Chief Privacy Officer and true policy expert, Michelle Dennedy, says that policy needs to be precise and readable, as in a sentence or two that lays out how Sun will govern a class of data in a certain context.

Technology’s role in policy (and compliance for that matter) is as an enabler for policy, making my company and my data more efficient or safer. The technology industry needs to take a page out of Michelle’s book and get more precise on just what it is we do to enable policy enforcement and automation (that’s the plea). Customers will benefit if we get a bit more precise in the use of the term “policy.” Let’s boil it down quickly and be able to tell people just what the functionality is that somehow helps enable policy implementation, enforcement or automation. Ultimately if we can collectively reduce the confusion for potential customers then we can move more quickly to solutions.

Now, before I get a flood of pot-calling-the-kettle-black responses to this blog, let me say that my paycheck comes from Sun, I work in this industry and I am sure we have work to do and thought to give on this as well.

How about a moratorium on the “P” word unless it is modified with a precise, readable explanation of what we mean?

We’ll talk compliance next time, for now I am off to have a cup of coffee to jolt myself out of my “policy, compliance, automation” reverie.


Nice one, Sara; interestingly enough, at the Liberty sessions in Rome last week (where I spent my time in the Public Policy Expert Group) we devoted several moments to clearing up amiguities in the use of the P-word.
Specifically (in our case) we were drawing the distinction between public (i.e. government) policy as a driver of privacy issues, and enterprise 'business' policy as another influence on the same matters.
Good to know we are thinking along the same lines. Einstein probably owuld have referred to it as 'quantum entanglement'.

Posted by Robin Wilton on February 17, 2006 at 07:02 AM CST #

Hello Sara, I've been working with Identity Management quite a few mounths. This "new" approuch to Identity Management are such an obvious topic, but so hard to acomplish!! Curious! We are trying to help HealthCare in my contry to achive compliance terms according to "Quality Terms", using Sun Identity Management and Auditor. It's a huge task!!!! Pls continue the excelent work you've been doing. Tks

Posted by Ricardo Sousa on February 24, 2006 at 12:41 AM CST #

Post a Comment:
Comments are closed for this entry.



« June 2016