Culture of Security

By James Gaskin, ITworld.com |  Networking Add a new comment

November 11, 2007, 7:21 PM Listen to the column Culture of Security, or visit our Podcast Center to hear more by James Gaskin.

During the Altiris ManageFusion conference in October, I had the
pleasure of being on a security "panel of experts" for infotainment
during lunch one day. A panelist I hadn't met, Andi Mann
of EMA, used
a wonderful phrase I warned him I would steal: culture of security.

Mann's point, and I think it's a great one, is that manufacturing
companies don't warn you about every single danger on the shop floor,
but they use OSHA regulations and employee training to create the
"culture of safety." Employees don't need to be told directly not
to

stick their hands into a band saw because that falls under the culture
of safety training.

Imagine if your users understood the culture of security as well as they
understand not to stick forks into AC sockets. Wouldn't life be better
for IT and the general user population?

Now the question becomes how you instill a culture of security in your
business. After all, employees are adults with decades of safety
training, yet some still stick their forks into AC sockets.

This culture must drift down from above. Not the heavens, but executive
row (some of them may think they're angels in heaven, but we know
better). Training executives requires a considerably lighter touch, and
more patience, than training regular employees. But train them you must,
because many idiot vice presidents remain the biggest security holes in
major companies.

One mainframe data processing manager I met years ago enforced his
culture of security with a hammer. When he went to a new location, the
first data systems operator who walked away from a terminal without
locking said terminal got hit with said hammer. Actually the employee
got hit with a giant pink slip, so it was a metaphorical hammer. After
the first termination, remaining employees took security much more
seriously.

While a hammer for an executive training tool sounds wonderful, it's not
legal. So use something scarier than hammers: lawyers. SOX and HIPAA and
other government mandated regulations should make a culture of security
easier to establish than ever before. Audit trails live forever, and
stupid e-mail messages never die. Data lost in a company laptop or PDA
always make headlines.

Executives get leader salaries, and they must lead for security to be
taken seriously. Time for some culture in executive row, a culture of
security.

Andi Mann: http://emausa.com/web/ema_bio_mann.php

    Add a comment

    Post a comment using one of these accounts
    Or join now
    At least 6 characters

    Note: Comment will appear soon after you have activated your account.
    Obscene/spam comments will be removed and accounts suspended.
    The information you submit is subject to our Privacy Policy and Terms of Service.

    ITworld LIVE

    NetworkingWhite Papers & Webcasts

    White Paper

    The 2011 iPass Mobile Enterprise Report

    This industry survey covers trends, recommendations and a policy guide on managing Enterprise Mobility for IT management and CIOs. Get data on employee device liability, as well as smartphone/tablet penetration, budget control and provisioning. Find out how your organization compares, how to ensure mobile worker productivity, and control costs.

    Webcast On Demand

    Managing Enterprise Mobility Costs

    Mobile employees, especially those traveling internationally, were spending time and resources finding and making connections. Roaming costs were out of control. The IT Administrator at The Hay Group tells you how he got more control over these costs, providing management with predictable budgets and insights while ensuring employee productivity.

    Sponsor: iPass

    White Paper

    Digital Transformation: Creating New Business Models Where Digital Meets Physical

    Individuals and businesses alike are embracing the digital revolution. Social networks and digital devices are being used to engage government, businesses and civil society, as well as friends and family.

    White Paper

    The Journey to the Private Cloud

    Both business and IT need the agility enabled by the private cloud. Now you can apply technologies and processes pioneered by public cloud services to your own data center.

    Webcast On Demand

    Navigating the Public Cloud

    InfoWorld contributing editor and consultant David Linthicum offers expert advice about choosing services to outsource to the public cloud providers, cloud data security and identity, integrating public cloud services, and how to avoid provider lock-in.

    Sponsor: Intel

    See more White Papers | Webcasts

    Answers - Powered by ITworld

    ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

    Join Now

    New questions

    How much will the security flaws in Google Wallet set back the transition to "digital wallets"?
    0 answers
    What mobile apps are the worst offenders to user privacy?
    2 answers
    What are the main advantages/disadvantages of a hybrid cloud model vs. the public cloud?
    2 answers
    How do you bill for independent sales reps in a company IT contract?
    2 answers
    What would it take for you to allow a company to REALLY track all of your web use?
    2 answers
    View more questions

    Ask a question

    Join Now or Sign In to ask a question.
    Ask a Question