Security Success Depends on Good Management

 
 
By Peter Coffee  |  Posted 2006-08-14 Email Print this article Print
 
 
 
 
 
 
 

Opinion: No matter what technical measures you introduce, people will do and say careless things under insecure conditions.

When president Bush and British Prime Minister Tony Blair got caught with their microphones on in July in St. Petersburg, Russia, The New York Times blogger Virginia Heffernan posted a clip of CNN video that included their conversation on the soundtrack. Most of the subsequent comments posted on The Times site concerned peoples thoughts on the presidents word choice and table manners, but one comment focused on something actually worthy of serious thought: "Lets just be glad that neither person happened to discuss confidential information of national/international security import when both forgot that they still had microphones on their person."

Click here to read an interview with PGP Director of Product Management John Dasher.
This is the issue that comes up, again and again, whenever IT people try to live up to their responsibilities—not to mention meeting rapidly rising expectations—in securing critical data and ensuring the integrity of vital business processes. You can throw technology at the problem as long as you have money to spend; you can throw even more technology at the problem if you hire your mathematicians and your coders overseas, although you then have to wonder about the loyalties and the incentives that might apply when code crosses national boundaries. Still and all, no matter what technical measures you introduce, people will do and say careless things under insecure conditions.

You can burden your servers with 256-bit keys for encrypted databases, but people will still use their own names as pass phrases to generate those keys. You can put rights management tools in place to limit peoples freedom to edit or forward sensitive documents, but theyll still talk about things in the elevator or read things while sitting next to a stranger on an airplane.

We dont even have to rise to the level of heads of state to find the human factor being the fulcrum of information security.

This summer we saw PepsiCo and Coca-Cola cooperate in nailing an employee of the latter company whos now accused of attempting to sell trade secrets to the former.

New-product development cycles entail broad vulnerabilities—and theres enormous pressure on corporations to accelerate all their processes, making them both faster and flatter. Rarely do such re-engineering drives include a mandate to make things more secure.

It may be a backhanded dividend of the post-9/11 world that companies and individuals now accept greater infosec responsibility. These things are relative: In a time when we have to take off our shoes to get through an airport, a request to change our network password every month and to meet minimum standards of password nonobviousness seems comparatively less onerous than in happier times gone by.

Moreover, in this era of bloggers sharing corporate dirty laundry with a worldwide audience, even the most aggressive head-office manager may be more likely to think twice before yielding to temptation and misusing leaked information. The 11th Commandment is said to be, "Thou shalt not get caught"—as did Boeing, for example, when a number of the companys employees made competitive use of documents obtained from a former employee of competitor Lockheed-Martin. When this came to light, it cost Boeing about a billion dollars worth of Air Force business. The 11th Commandment takes on added emphasis when someone with a Net connection is likely to be watching and to tell people what he or she sees.

Irrespective of continuing technical improvements in the infosec environment, technologists ignore the human factor at their peril. Unlike some elected officials, enterprise managers need to lead by example. The role of every employee in treating information as an asset must be stated explicitly, monitored thoroughly, and rewarded promptly and conspicuously when faithfully performed. Technology cant do that; only good management can.

Technology Editor Peter Coffee can be reached at peter_coffee@ziffdavis.com.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
 
 
 
 
Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel