The “P” Word--- “Policy”
By saragates on Feb 17, 2006
I had the opportunity this week to attend the RSA show and I wanted to share some thoughts from the week.
First, the funniest moment of the week came with Scott McNealy’s keynote when he invited Bill Gates to go hunting. That was timely, bordering-on-inappropriate-yet-hilarious humor. When I got home late last night I told my husband the story and he quipped, “Yeah, what’s the fine for shooting lawyers out of season?” I got another good chuckle out of that.
Yesterday I was talking to Eric Leach from Sun (Eric runs our access management and federation product line) and, as often happens when I talk to Eric, he managed to say a lot in a few words. Eric said, “as I walk around the RSA show, three words are constantly being used (or overused): policy, compliance and automation.” We joked that it was like a mystical chant running across the conference floor, hypnotizing people with the melodic chant of “policy, compliance, automation…, policy, compliance, automation…” luring potential customers into the booths with promises of salvation.
Eric’s right. Those words were everywhere and it got me to thinking and wanting to make a plea.
The “P” word is policy. It’s become a bad word in that the word “policy” in the technology arena has so many meanings that it has actually become meaningless. “Policy” means a lot of things, all of them ultimately in a business, and often, security context. A policy can be on data protection, a policy can be on access control in the platform or application, a policy can be in a dusty three-ring binder that no one ever uses, a policy can be made in response to a law or regulation. Sun’s Chief Privacy Officer and true policy expert, Michelle Dennedy, says that policy needs to be precise and readable, as in a sentence or two that lays out how Sun will govern a class of data in a certain context.
Technology’s role in policy (and compliance for that matter) is as an enabler for policy, making my company and my data more efficient or safer. The technology industry needs to take a page out of Michelle’s book and get more precise on just what it is we do to enable policy enforcement and automation (that’s the plea). Customers will benefit if we get a bit more precise in the use of the term “policy.” Let’s boil it down quickly and be able to tell people just what the functionality is that somehow helps enable policy implementation, enforcement or automation. Ultimately if we can collectively reduce the confusion for potential customers then we can move more quickly to solutions.
Now, before I get a flood of pot-calling-the-kettle-black responses to this blog, let me say that my paycheck comes from Sun, I work in this industry and I am sure we have work to do and thought to give on this as well.
How about a moratorium on the “P” word unless it is modified with a precise, readable explanation of what we mean?
We’ll talk compliance next time, for now I am off to have a cup of coffee to jolt myself out of my “policy, compliance, automation” reverie.