Security must be comprehensive and is effective only when properly implemented and
maintained. Still, strong management and user support for security programs is
usually results from attack rather than plan -- corrective
versus preventive actions. Duress stresses rather than
reinforces a security program.
Crackers only need one hole to get into your systems. You need to close thousands of
holes to keep them out. To do that, you need a calmly reasoned plan free from
reactive stress and you need support from all levels of your organization.
Getting support requires tact and an ability to convey risk facing the corporation.
When making your presentation stress; loss of public or client confidence, waning
shareholder support, and direct financial loss.
As important as management support is user support. Here are some common-sense
guidelines for positive relations with end-users:
Open communications with users. Don't just throw together a security
page on your intranet. Make sure your info is regularly updated giving
users a reason to revisit the site. Don't wait for users to contact the
security group, proactively contact the user community with important
information through timed e-mail announcements, company newsletters, and
other corporate media. Above all, always listen to users. Be approachable
and never remain behind the locked doors of the security office.
Proactive awareness. While you may not use XYZ WebAccess at the
office, it is a good bet many of your employees do. Should your security
group learn of a vulnerability in XYZ software, pass it on to your user.
This demonstrates concern for your user's security beyond the perimeter of
your corporate castle. When users feel concern for their "cyber-safety" as
well as the corporation's, user support for security procedures will grow
exponentially. At the U.S. House of Representatives, I went on "the
offensive" in gathering intelligence on threats to our information
resources. By attaining a wide and detailed "Big Picture" of the threats
facing your organization you will be better equipped to respond.
Transparent security. Yes, it may make your system "iron-clad" to
require twenty passwords, fingerprint identification, DNA codes, retinal
scans, and singing the first verse of the "Marsellaise" to log into the
corporate network, but you will pay a substantial equipment price to
process such personal identification.
More importantly, you will also lose employee support and willingness to
comply. This leads employees to skirt security, leave passwords under their
keyboards, or leave computers logged in after close of business.
Security should not burden employees, and does not have to in order to
provide adequate protection. Strong passwords and system activity logs are
good places to start for most organizations. Naturally, special situations
(such as needing dial-in access or access to sensitive networks) require
additional security, but that is "part and parcel" of the added
requirements the employee has in accepting responsibilities that force
him/her to access such systems.
Awareness of responsibilities. Don't assume that employees know the
full extent of their security responsibilities. I have experienced a
mission-critical systems administrator that didn’t know she was responsible
for securing an e-mail server, and a human resources department that
dismissed background checks for systems staff as "time consuming and
costly." It costs under $100 to conduct a rudimentary background check on
an employee. Compare that to the thousands of man- and computing-hours lost
while repairing the damage a disgruntled insider can do to information
resources.
Software development is often a complex international enterprise. Some of
your sytem software is likely to be written in a country with different
laws, different political, and different moral agendas. In a world of
conflict, it is good to "know" the people writing mission-critical code.
The following example is like, "locking a screen door on a submarine." The
US Agency for International Development (USAID) relies on foreign nationals
(who by U.S. law cannot hold a clearance) to administer the networks at
overseas missions. U.S. contractors working in Washington are required to
have a SECRET clearance to access the same unclassified information on
those same networks as the foreign nationals! If a foreign-national system
administrator is caught tampering or selling information, the most that
will happen is a firing followed by a State Department protest. This
hilights the importance of people knowing their responsibilities and of you
being responsible for knowing your people.
Building security knowledge into every job description and insuring
managers know their security roles and responsibilities will support a
strong security culture.
Previous page
Next pageBack to top
