"Getting Tough" With Information Security Is Really Just Getting Smart
Today I saw the headline, "Energy gets tough on laptop use" in Government Computer News and I was curious to see that the story was about how the U.S. Department of Energy (DOE) is going to start actually enforcing their security practices by accurately inventorying and tracking their mobile computing devices after having "lost" 1,415 laptops in the past 6 years. The DOE also indicates they are going to start enforcing their security policies and procedures.
Huh? Using reasonable controls, such as inventorying computer equipment, is getting tough? Isn't it just good, basic information security actions?
And actually making personnel follow the policies and procedures is getting tough? Isn't this just smart management?
The sad truth is that so few government agencies, and a large portion of all organizations for that matter, have good, basic, comprehensive enforced information security policies and procedures in place that when something, that should have been done from day one, is now being implemented and enforced it is viewed as "getting tough."
It's too bad that implementing reasonable information security policies and procedures, that protect the business, is viewed as getting tough. It will be great to get to the day that your business leaders view information security as getting smart instead.
"Since his appointment in 2005, Bodman [DOE Secretary] has recognized that “management deficiencies have been an issue throughout the history of the department,” Barnett said. “He has been working to fully identify weaknesses and correct them at their source” in regard to computer inventory control. Barnett added that the laptop issue is “is something that has been developing over many years.”"
This points out the need for consistently enforcing the policies and procedures. It appears that managers recognized that there were no sanctions being applied if they lost a computer here, a laptop there, so they put their attention to other matters without much worry. After all, not following procedures saves them time, and if no one is concerned enough to enforce the procedures, they must not really be that important, right?
There is a snowball effect when policies and procedures are not consistently enforced. Manager B is diligently following procedures, but then finds out Manager A doesn't and has never had any bad things happen to his career as a result. So, heck, since so much time will be saved, Manager B stops following the procedures too. Then Managers C & D find out that you don't have to follow procedures, so they stop following them too. Soon Managers E, F, G, H, all the way to Z have also stopped following security policies and procedures because no one else is following them and there has been no executive leaders have lowered the boom on any of them. Soon no one is following security requirements.
As a result, policies and procedures that may be the best in the world are worthless because no one is following them.
It takes a significantly larger amount of time to backtrack and try to get people back on board with following information security practices than it is to enforce them from the very beginning. Not only this, but during this time of ignoring the requirements the business is vulnerable to multiple security threats, and the organization may have experienced significant losses, including lost customers and damaged reputations, while no security was being followed.
Some of the lessons to take away:
* Information security requirements must be visibly and consistently supported by the top organizational leaders.
* Personnel must receive ongoing training and awareness for the security requirements to not only ensure their understanding, but also to establish accountability for them to follow the requirements.
* Policies and procedures must be consistently enforced on an ongoing basis.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
Rebecca, This seems to be the business culture of MOST companies. Policies and procedures are seen as something to keep auditors quiet. They aren't really looked at as being enablers of business and security. It appears that as regulations get more teeth and companies actually get hit with fines and penalties that hurt then things may start to turn around. Unfortunately this is going to take a long time. The "Good Ole' Boy" mentality of many companies is too ingrained to change quickly.
Posted by: Andy ITGuy | June 5, 2007 12:18 PM
Human nature is such that, unless forced to do otherwise, people will tend to do only what they prefer to do. For top decision makers, rigorously investing in information policy and practice is not viewed as being high in cachet, and therefor assign it low or no priority. As many are slowly coming to realize -- too frequently, after the fact -- presiding over a major information breach, in addition to damaging innocent lives, can decimate a company and end a career.
Posted by: Craig Herberg | June 5, 2007 3:48 PM
Andy, yes, I agree that in recent years (post regulations and laws passage) information security policies have often been a cross-the-T's type of going-through-the-motions exercise for the benefit of the auditors. Prior to this there really were few organizations that even had policies.
However, executive support of information security policies and consistent application of sanctions is so important, it is incumbant upon information security professionals to establish communications with their business leaders to get this support. This will only come with good understanding of the business, and communicating clearly to executives how information security supports the business. Too many infosec professionals still do not talk in the language of their executives; they cannot expect to get executive support if they continue to talk in techno-babble that their executives not only do not understand, but more importantly for infosec pros to understand, the execs do NOT WANT to hear. They want to hear how infosec impacts the business, and why policies and controls are necessary.
Posted by: Rebecca | June 6, 2007 11:33 AM
Craig, you bring up a good point; yes, people definitely need motivation to implement and/or follow information security safeguards. That motivation will vary from person to person, positions within an organization, and industries.
Information security pros need to realize that multiple motivations must be used to have a successful security program. One of the motivators necessary is executive support, another is consistently applied sanctions. To get these, infosec pros must get their execs' support.
Posted by: Rebecca | June 6, 2007 12:02 PM