The Cisco Security Report Mistake: You Can't Trust Your Employees

Rob Enderle
Slide Show

Five Warning Signs Your Security Policy Is Lacking

Warning signs of a weak security policy from SunGuard Availability Services.

At least that appears to be the major focus of a recent security report from Cisco. I think it makes a mistake, however, by focusing on technology to address what is largely identified as a behavioral problem. I was a security auditor for a number of years and head of a security research division, and have owned security several times during my career. I learned that a vastly more successful, and much more cost-effective approach, is to address the behavior directly. However, that choice is not one a CIO can make and it, like other decisions that affect the entire enterprise, must come from the top.

 

In the end, I agree with Cisco that the problem exists. Where I disagree is both in who should address it and how it should be addressed.

 

Defining the Problem

 


The report starts out by accurately describing the status quo, which is a general business world where initially employee security training consists of being told not to lose laptops or share passwords. It doesn't point out that this has been degraded a great deal from earlier times and from more secure companies like Apple where employees are a much more critical part of the security solution.

 

It then looks ahead at the trend to bring consumer products into businesses, which don't even have basic security, and an increased tendency, particularly by younger employees, to want to share what they are doing and seeing on social media. Added to this is the trend of increasingly allowing employees to work on anything, anyplace and you have a recipe for disaster.

 

The report does point out that part of this disaster recipe is the tendency for new employees to think security is someone else's problem. And there, I think, lies the mistake.


Apple Example

 

When Steve Jobs took over Apple, it actually had an ongoing and uncontrolled practice of leaking confidential information. The company was heavily targeted by news organizations wanting the latest scoop and, as a result, when new products where launched, they had already been widely discussed and often dismissed as inadequate. That was a big part of why the company was failing; it had lost control of the images that surrounded its products and while competitors rarely took advantage of this information, they easily could have. A company that has since been defined by its ability to control its image and that of its products was, back then, unable to keep the necessary secrets.

 



Add Comment      Leave a comment on this blog post

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.