Managing Security Success

Employees should be educated about protecting info.

When president Bush and British Prime Minister Tony Blair got caught with their microphones on last July in St. Petersburg, Russia, The New York Times blogger Virginia Heffernan posted a clip of CNN video that included their conversation on the soundtrack.

Most of the subsequent comments posted on The New York Times site concerned peoples thoughts on the presidents word choice and table manners. But one comment focused on something actually worthy of serious thought: "Lets just be glad that neither person happened to discuss confidential information of national/international security import when both forgot that they still had microphones on their person."

This is the issue that comes up again and again whenever IT people try to live up to their responsibilities—not to mention meeting rapidly rising expectations—in securing critical data and ensuring the integrity of vital business processes.

You can throw technology at the problem as long as you have money to spend; you can throw even more technology at the problem if you hire your mathematicians and your coders overseas, although you then have to wonder about the loyalties and the incentives that might apply when code crosses national boundaries.

Still and all, no matter what technical measures you introduce, people will do and say careless things under insecure conditions.

You can burden your servers with 256-bit keys for encrypted databases, but people will still use their own names as pass phrases to generate those keys. You can put rights management tools in place to limit peoples freedom to edit or forward sensitive documents, but theyll still talk about things in the elevator or read things while sitting next to a stranger on an airplane.

We dont even have to rise to the level of heads of state to find the human factor being the fulcrum of information security. Last summer we saw PepsiCo and The Coca-Cola Company cooperate in nailing a Coke employee whos now accused of attempting to sell trade secrets to PepsiCo.

New-product development cycles entail broad vulnerabilities, and theres enormous pressure on corporations to accelerate all their processes, making them both faster

and flatter. Rarely do such re-

engineering drives include a mandate to make things more secure.

It may be a backhanded dividend of the post-9/11 world that companies and individuals now accept greater infosec (information security) responsibility. These things are relative: In a time when we have to take off our shoes to get through an airport, a request to change our network password every month and to meet minimum standards of password nonobviousness seems less onerous than in happier times gone by.

Moreover, in this era of bloggers sharing corporate dirty laundry with a worldwide audience, even the most aggressive head-office manager may be more likely to think twice before yielding to temptation and misusing leaked information.

The 11th Commandment is said to be, "Thou shalt not get caught"—as did Boeing, for example, when a number of the companys employees made competitive use of documents obtained from a former employee of competitor Lockheed-Martin.

When this came to light, it cost Boeing about a billion dollars worth of U.S. Air Force business. The 11th Commandment takes on added emphasis when someone with a Net connection is likely to be watching and to tell people what he or she sees.

Irrespective of continuing technical improvements in the infosec environment, technologists ignore the human factor at their peril. Unlike some elected officials, enterprise managers need to lead by example.

The role of every employee in treating information as an asset must be stated explicitly, monitored thoroughly, and rewarded promptly and conspicuously when faithfully performed. Technology cant do that; only good management can.