Culture of Security

Source URL: http://www.itworld.com/nlsnetworking071115
November 11, 2007, 7:21 PM
By James Gaskin, ITworld.com

Listen to the column Culture of Security, or visit our Podcast Center to hear more by James Gaskin.

During the Altiris ManageFusion conference in October, I had the
pleasure of being on a security "panel of experts" for infotainment
during lunch one day. A panelist I hadn't met, Andi Mann
of EMA, used
a wonderful phrase I warned him I would steal: culture of security.

Mann's point, and I think it's a great one, is that manufacturing
companies don't warn you about every single danger on the shop floor,
but they use OSHA regulations and employee training to create the
"culture of safety." Employees don't need to be told directly not
to

stick their hands into a band saw because that falls under the culture
of safety training.

Imagine if your users understood the culture of security as well as they
understand not to stick forks into AC sockets. Wouldn't life be better
for IT and the general user population?

Now the question becomes how you instill a culture of security in your
business. After all, employees are adults with decades of safety
training, yet some still stick their forks into AC sockets.

This culture must drift down from above. Not the heavens, but executive
row (some of them may think they're angels in heaven, but we know
better). Training executives requires a considerably lighter touch, and
more patience, than training regular employees. But train them you must,
because many idiot vice presidents remain the biggest security holes in
major companies.

One mainframe data processing manager I met years ago enforced his
culture of security with a hammer. When he went to a new location, the
first data systems operator who walked away from a terminal without
locking said terminal got hit with said hammer. Actually the employee
got hit with a giant pink slip, so it was a metaphorical hammer. After
the first termination, remaining employees took security much more
seriously.

While a hammer for an executive training tool sounds wonderful, it's not
legal. So use something scarier than hammers: lawyers. SOX and HIPAA and
other government mandated regulations should make a culture of security
easier to establish than ever before. Audit trails live forever, and
stupid e-mail messages never die. Data lost in a company laptop or PDA
always make headlines.

Executives get leader salaries, and they must lead for security to be
taken seriously. Time for some culture in executive row, a culture of
security.

Andi Mann: http://emausa.com/web/ema_bio_mann.php

James Gaskin
Source URL: http://www.itworld.com/nlsnetworking071115

© 1994-2011 ITworld. All rights reserved.