Reproduction permitted for personal use only. For reprints and reprint permission, contact firstname.lastname@example.org.
Editor's Note: Mark McDonald will be a keynote speaker at the 2012 Fusion CEO-CIO Symposium and a member of the Fusion 2012 Advisory Board. The keynote is "Amplifying the Enterprise: When Technology Trumps IT".
I dont blog a lot about security. I leave that to the security experts like John Pescatore and others. But recently in the last three weeks security has become a question raised by CIOs and business leaders.
Security is a big issue related to technology given recent security lapses at high profile companies and ongoing concerns with the cloud. The consistent disclosure of hacked accounts, security breaches and sites shut down. Each story makes news because risk, threat, loss attracts attention and attention makes money.
Media and management attention relative to security can easily take our focus off of the things that are important, which is how we move forward, how we improve, how we increase the integrity of the future. Business leaders, media and legislators are pursuing only part of the issue when they ask, Can this happen to us? The answer to that question is always, possibly yes. Someone who says no never is either misinformed or misinforming you.
Media attentions regarding security issues are framed in the light of technology. It is technology that is not secure. It is technologys responsibility alone to resolve the issue. Both are incorrect assumptions.
Technology is only part of a security issue. People are a major part as well, and a part that is not brought up in the media. This is not one of those dont blame the guns because people kill people arguments. Technology is important in creating access and the integrity of that access and investments in creating more security; higher integrity and greater capability based on technology are essential. But we cannot leave people out of the picture.
Organizations that see security as a technical issue are setting themselves on a path of continuous risk and vulnerability to security breaches and their consequences. Any company who lets an employee off the hook with the excuse that
The technology let me do it. If it was wrong, then the system should have stopped me
They get exactly what they deserve. No amount to technology, no matter how clever, comprehensive or capable will keep the wrong people out of the system or people from doing the wrong things within the system.
We need to review and re-allocate concern, attention and policies in terms of how it relates to security. Continued investments to make systems more secure, improve authentication, raise integrity, enhance detection, etc. are all important and critical. But we need to add to that. We need to make enforcing security policy a priority within our company, a consideration in who we work with as suppliers and a concern when dealing with new customers or new customer behaviors.
Security is an asymmetric game from a technical perspective where the attackers will always have the advantage. They have the advantage because there are always more attackers who collectively have more resources than the single company seeking to thwart their attempts. Yes each attacker may be small, but that is not always the case given recent stories regarding attacks on email systems.
The only way a company can start to address the imbalance is to change the game from many attackers against a single company, to many attackers against every person in the company. Mobilizing and reminding your people about their role in security is not a technical issue. It is a personal and professional issue.
Management has to set up to the security issue and take back their responsibility for the integrity of their people, information and systems. In too many organizations I get the sense that security has been relegated / delegated to technology alone and that is a huge mistake. Organizations may want to consider the following suggestions:
• Re-visit their policies and professional practices with regard to security, integrity and handling company information. If you have clearer rules regarding the misappropriation of money or violating your travel policy than you do about handling your companys information, then you need reform.
• Re-deploy all of your policies, including the ones related to information and technology security. Too often people assume that everyone knows the rules, that behaviors and norms are so evident that they do no require communication. Ask yourself what has been the turnover in your organization, not just people leaving, but reorganization, restructuring etc. We all need to be reminded of what being a professional means in our companies and assuming we know means that the company is willing to accept the lowest common denominator.
• Increase the responsibility and accountability of HR in these matters. After all they are the primary function responsible for personal and professional behavior in the organization. Policies and practices related to security and integrity are changing constantly and require active attention. For some reason, HRs role in this regard has appeared to shrink in the face of other responsibilities. Putting up posters is no answer and HRs role needs to change otherwise what you say has no teeth.
• Continue to invest in technology and efforts to address current and potential security issues. This means that IT and CISOs need to expand their view of security beyond preventing bad things from happening to finding new ways to make the right things possible. Without a proactive and solution focused view, IT and CISOs will always find their concerns in competition with business imperatives and economic realities.
• Raise the responsibility of managers and management in regard to these issues. Security issues will happen, but their cause, frequency, severity and your response should factor into executive and management evaluation, compensation and bonuses. Suffering an attack is serious, but its also part of doing business. Ignoring, creating or failing to respond to an attack is a different matter entirely. If your company has fired the CIO for a security breach, then it has taken a partial response at best.
These suggestions revolve around raising awareness and attention on the personal and professional aspects of keeping your company, its customers and information secure. Applying them to create a police state within your company is counterproductive, particularly given the level of collaboration required by modern business. These suggestions see to do more than creating additional external controls or more watchers to watch the watchers, etc.
These suggestions seek to tap into the internal compass that we all have about what is right and what is wrong. Too often that compass becomes compromised in the pressure to get results, the absence of re-enforcement, corporate culture neglect or simple ignorance of the evolving security picture to keep up.
Modern business demands new levels of innovation, collaboration, creativity, and agility. These are characteristics of strategic and comparative advantage. Each requires a level of personal, professional, and technical integrity. Taken together, those requirements multiply. It is foolish to think that technology alone can meet these requirements, making security a personal and professional concern and one that requires at least as much attention as your technology.Recent columns by Mark McDonald