Rob Fuller brought up an interesting question on Twitter today:

Now, everyone who responded that you are still at IE in the enterprise. Why? Did you show TPTB clickjacking and it’s effects?

Here is why I believe organizations cannot simply “up and switch” to a different browser (regardless of security concerns).

Training

Not everyone is a “power user”. If you switch the browser that the mail clerk, accountant, or CxO use it may confuse/scare/panic them. Many people have an expectation of stability in their applications and will require formal training to use a new one (yes a browser is an application). Not only will your users need to be trained but your support organization will also have to learn how to handle the influx of support issues that will inevitably be raised.

“I used to do xyz in IE but I don’t know how to do it in this new browser!”

“What happened to all of my book marks? What did YOU do?”

“Our custom application no longer works with YOUR new browser that YOU installed. I want my old browser back NOW!!”

Anyone who has worked in a support role is familiar with hearing these questions after a poorly planned roll out of new software. If not…you’ve missed out 🙂

Money

“But aren’t browsers are free Andrew?!?!” Why yes, they are. But the time it takes to deploy an application to a large enterprise is very time consuming. There is (or at least should be) integration testing, quality assurance testing, acceptance testing, and training. This costs money for project planning resources, testing resources, implementation resources, and so on.

Don’t forget the cost of training your staff to field the aforementioned questions in the previous section. Not all front line support staff will know how to support the new browser and may require training which costs time and money.

Deus Ex Machina

Thanks to Ryan Russell for reminding me that this was the term I was looking for – stupid Grade 9 English class failed me!

At the end of the novel Lord of the Flies, the group of ship wrecked children are miraculously saved when it appears all is lost. This literary device, called Deus Ex Machina, is often unknowingly employed by executives who have blind faith in a third party (e.g. Microsoft, a patch management solution, IPS signatures, and so on) to solve the problem at hand.

Unfortunately, this one is for you Rob Fuller, this is the kind of battle that security professionals fight daily. How do you convince your executives that it’s time to invest the time and money into a different solution? It all comes down to putting the problem and solution in terms they can understand – cost/benefit analysis. If you can prove to your executives that switching to an alternate solution, although potentially costly in the short term, could reap long term security, financial, and productivity benefits for the company (not necessarily in that order of course) then you may find your executives on your side.

Blind Eye

We all know that it’s sometimes easier to just turn a blind eye to the problem.

“Well it hasn’t hit us yet and we don’t know anyone that has been attacked using this exploit/hole so we’re probably safe.”

Ummm….I guess that’s true in a warped logic sort of way.

“We’ve been using this browser for years so we’re not about to change it now.”

Ah yes…the old “if it ain’t broke don’t fix it” approach. Unfortunately it, meaning the browser, is broken and it’s up to you, the security professional, to convince them, the organization powers-that-be, that it’s time for a change. Good luck as this will be the hardest fight of your life. Throw back some espresso, pull up your socks, and come out swinging!

You’ll need to show them the risks associated with not switching to a different solution. Throw in some cost/benefit analysis and you might make it through to the final round, but I guarantee that you’ll be tired, frustrated, and maybe even a little bloody.

Conclusion

I hope this sheds some light on why I believe that an organization switching to a new browser isn’t as cut and dry and we security yokels would like it to be. You may not agree with all of my points but I hope that one or two items might make you think differently.

As always, I’d be happy to discuss this further with any of my readers via the comments in this post, via email, or even via phone/Skype.