security.itworld.com - Culture of Security

security.itworld.com

Culture of Security
ITworld 11/11/2007

James Gaskin, ITworld.com

Listen to the column Culture of Security, or visit our Podcast Center to hear more by James Gaskin.

During the Altiris ManageFusion conference in October, I had the pleasure of being on a security "panel of experts" for infotainment during lunch one day. A panelist I hadn't met, Andi Mann of EMA, used a wonderful phrase I warned him I would steal: culture of security.

On this topic

Notes on a trading scandal: What went wrong at Société Générale?

Security best practices: CIOs from IBM, Intel, and Symantec share their lessons learned

Securing the Online User Experience: Building User Confidence and Stopping Fraud

Five Security Mistakes to Avoid

Comparing Approaches for Desktop Software Lockdown

Identity Theft Primer

Software Security: Building Security In

Get practical tips, IT news, how-tos, and the best in tech humor.

Mann's point, and I think it's a great one, is that manufacturing companies don't warn you about every single danger on the shop floor, but they use OSHA regulations and employee training to create the "culture of safety." Employees don't need to be told directly not to
stick their hands into a band saw because that falls under the culture of safety training.

Imagine if your users understood the culture of security as well as they understand not to stick forks into AC sockets. Wouldn't life be better for IT and the general user population?

Now the question becomes how you instill a culture of security in your business. After all, employees are adults with decades of safety training, yet some still stick their forks into AC sockets.

This culture must drift down from above. Not the heavens, but executive row (some of them may think they're angels in heaven, but we know better). Training executives requires a considerably lighter touch, and more patience, than training regular employees. But train them you must, because many idiot vice presidents remain the biggest security holes in major companies.

One mainframe data processing manager I met years ago enforced his culture of security with a hammer. When he went to a new location, the first data systems operator who walked away from a terminal without locking said terminal got hit with said hammer. Actually the employee got hit with a giant pink slip, so it was a metaphorical hammer. After the first termination, remaining employees took security much more seriously.

While a hammer for an executive training tool sounds wonderful, it's not legal. So use something scarier than hammers: lawyers. SOX and HIPAA and other government mandated regulations should make a culture of security easier to establish than ever before. Audit trails live forever, and stupid e-mail messages never die. Data lost in a company laptop or PDA always make headlines.

Executives get leader salaries, and they must lead for security to be taken seriously. Time for some culture in executive row, a culture of security.

Andi Mann: http://emausa.com/web/ema_bio_mann.php

James E. Gaskin writes books (16 so far), articles and jokes about technology and real life from his home office in the Dallas area. Gaskin has been helping small and medium sized businesses use technology intelligently since 1986. Write him at readers@gaskin.com.

•	Web Penetration & App Testing
	Web Penetration Security Services. 300+ Clients. Free, Quick Quotes!

•	FREE DOWNLOAD: MITIGATING ROCK PHISH ATTACKS
	Standard anti-phishing methods cannot defeat complex Rock Phish attacks. Learn how to fight back...

•	RESOLVE SUPPORT ISSUES from your Desktop!
	Minimize downtime with a remote support solution that lets you resolve issues right from the desktop

•	SOLVE SUPPORT ISSUES on the First Call!
	REMOTELY CONTROL AND CONFIGURE SYSTEMS. Easily install applications, updates. All from your Desktop!

•	Enterprise IP Goes Mobile
	To maximize full productivity, companies must integrate their mobile applications with the IP network.

» Buy a link now

Advertisements

Sponsored links
	KODAK i1400 Series Scanners stand up to the challenge
	Bring harmony to your mix of UNIX-Linux-Windows computing environments
	Top 5 Reasons to Combine App Performance and Security
	Locate Hidden Software on business PCs with this free tool

Home

Policy and standards


www.itworld.com open.itworld.com security.itworld.com smallbusiness.itworld.com storage.itworld.com utilitycomputing.itworld.com wireless.itworld.com
Contact Us About Us Privacy Policy Terms of Service Reprints CIO Computerworld CSO GamePro Games.net IDG Connect IDG World Expo Infoworld ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist Copyright © Computerworld, Inc. All rights reserved Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.