The Cisco Security Report Mistake: You Can't Trust Your Employees - Page 2

Rob Enderle
I should point out that Apple was one of the most heavily secured companies from the standpoint of technology at the time. Access was monitored and passwords were replaced by RSA keys. Much of the "consumer technology" didn't even exist then, suggesting that these devices, while certainly contributing to the problem now, weren't the cause of it.


To address this problem, Steve Jobs drove a military-grade security policy into the company. Security became everyone's responsibility and breaches, even unintentional ones, resulted in termination (granted in some cases the termination was reversed when it was disclosed the employee did nothing wrong). World War II posters were placed on walls ("Loose Lips Sink Ships") and training on behaving properly both inside and outside the company was common place.


On top of this, information was regularly released inside the company that was altered so it could be connected back to the group and eventually the individual who leaked it. This allowed the punishment mechanism to function and, eventually, the Apple employee became what is arguably the most trusted (with regard to confidential information) in the technology industry.


IT Is Not Your Mama


Technology can certainly play a role both to limit the opportunity for a breach and to identify one once it is made. However, it can't successfully become a parent. In fact, particularly with young employees, there is a tendency to rebel and efforts to secure information that don't include behavior modification may have the opposite effect as that rebellion results in a breach of security. They may see it as a challenge.


Strangely, as was often the case when I was a security auditor, it was the executives who were the problem. Many seemed to think that one of their privileges was not to have to adhere to security rules and findings where confidential information was exposed because guidelines were inconvenient. For instance, in one office executives regularly brought in unauthorized women for entertainment (read between the lines) purposes. I understand their spouses were not amused. These executives were rarely punished and technology can't fix this.


Given IT does not have the authority to discipline line employees, typically the solution can't just reside in IT. And should IT take the parental role of telling employees how they should behave or in trying to remote control devices the employee thinks they own despite employee objections, the result likely will be a growing desire to outsource IT as a problem. However, if IT instead supplies tools that can help keep an employee or executive from accidentally violating a policy that could get them terminated, then IT is a partner in security and the result is likely to be far stronger.


Wrapping Up: Technology Isn't THE Solution to a Security Problem


One of my most memorable moments at IBM was during sexual harassment training. The class was told that IBM had instituted a zero-tolerance policy with regard to inappropriate behavior and, in the class, was one of the highest performing IBM sales reps. Someone of his caliber was thought to be untouchable. This sales rep proceeded to tell an off-color joke, the instructor made a call, and two large security officers came in and escorted the now ex-IBM employee off the property. Since those in the class likely knew the guy, I've often thought the event was likely staged to make a point. I wasn't even in that class, yet I can recall that even thinking of telling an off-color joke or accidentally saying something inappropriate would send chills up my spine.


My conclusion after years of doing security audits is that if the employee is an active part of the security solution, you'll have fewer problems. If they aren't, they'll always find a way around technology and much of the money you spend on security will be wasted. In short, if the solution doesn't start and end with the employee, then IT isn't in a good position to secure the enterprise and perhaps shouldn't accept the responsibility for something they won't successfully be able to do.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.