StoreSecurity SalonInto The BreachContact
< Blog Home

Why the magazines keep getting it wrong - the answer to data breaches is not technology and legislation

August 31, 2006 · by SecurityCatalyst

After wrapping up another training class designed experience on Effective Assurance, I came across these two related articles, one in eWeek and the other in Information Week - and both set me off, since they continue to show we are helpless without technology and legislation!

IT Pros Say They Can’t Stop Data Breaches
(http://www.eweek.com/article2/0,1759,2010325,00.asp?kc=EWRSS03129TX1K0000614)

Research: Privacy, Security Problems Alarming But Fixable
(http://www.informationweek.com/story/showArticle.jhtml?articleID=192500245&cid=RSSfeed_IWK_Security)
We already know there are simply too many data breaches being reported - and what scares me is the number that are being unreported, or worse - unnoticed!
So in the wake of these breaches, more research was announced today and the way it’s being reported on — IT professional’s are or feel helpless to do anything to prevent these breaches. Whether it’s the researchers or the writers, the conclusions are being drawn that our current complexity of solutions and lack of technology to defend and prevent.

I am sick and tired of seeing that excuse - we don’t have the technology! Sorry. I’m not buying it. It’s time to call BULLSH*T. Time to make a stand!

You want to know why we cannot seem to prevent data breaches? It’s because people continue to do stupid things! People take irresponsible actions and WE LET THEM. Employees fail to take responsibility and no one calls them on it. It was refreshing to me to watch the alums of Ohio rail against the school for their gaffes - but they never should have happened in the first place.
Seems to me that we are in an age where we want DEMAND instant gratification. At the same time, we seem to have gotten ourselves comfortable with finger-pointing and passing the buck. While the staples ‘easy button’ ™ is funny and a great marketing idea, we simply don’t have one for security.Security/Assurance is a process, not a product.
I look forward to the return of personal accountability. Bring back responsibility! I don’t think the answer is as simple as: we failed, now give us legislation and force people to act differently.
I think this is a challenging time when we require bold leadership to foster that return. As I have written about before, it’s a three step process:
1. We have to give people permission to care, to take responsibility, to make a difference.
2. We have to enter into a dialogue of empowerment. Empowerment is not a one-way communication.
3. We have to enable people to succeed, based on the effectiveness of our empowerment dialogue.
I’ll keep distilling the above points and will spend more time exploring them through this blog in the future. If you want to listen to me discuss this, I talked about it on Security Catalyst Episode 32. As I announced just this week, I am investing time and energy working on developing Security 2.0 - which is how I believe we have to focus on these issues to move forward. If we continue to believe security is complex and tied to technology, we doom ourselves to failure. We have to realize the role people play in the solution and work diligently to design and enact solutions that start to actually make security part of the fabric.
This is not about balance. This is about integration. Security is and should be a mindset, a way of acting and thinking to make a difference. In my experience, many of our problems, and therefore our solutions, reside in people, the way we act, the way we think, and the way we communicate.

See, I think the result of many of the data breaches (http://www.privacyrights.org/ar/ChronDataBreaches.htm - this is an impressive listing and worth your time) is carelessness, lack of responsibility and people not taking the required (and fairly simple) actions. Remember when we were taught to treat other’s things as if they were our own? What ever happened to that concept? I bet 80% of these breaches could have been prevented if people simply acted as if they were protecting their own information. And perhaps we failed by not giving them permission to take responsibility.
I have seen this first hand - both the problem, but more positively the solution. I have been working with people around the country all year to think differently about security - and it is making a measurable difference!
Now, as I continue to develop and roll out Effective Assurance in IT Operations, we engage this issue regularly. This experience was designed in an entirely different way from the ground up - to allow people time to engage, to think and to practice acting differently. By learning how to protect ourselves, by thinking differently - we discover that security is not scary, complex or and impossible goal.
One of the hallmarks of this course is the invitation to be present and to think. I can (and will) write more about those in the future, but essentially - imagine having a few days to engage, think, take responsibility and re-learn how you can make a difference based on what you know, think and yes, feel.
I’ve spent a year working on this. I know it works. So when I read these reports claiming we’re all helpless - I bet it helps sell newspapers, but I don’t buy it. And neither should you.
Join me in making a difference. Start today by taking responsibility and making a difference. I’ll keep sharing my ideas and insights in the blog and podcast. I am convinced that if we get started, others will join us. I’ll also work to teach you how to teach others - we can all build this together. It starts with us, but it can and will grow.
And then we don’t have to make excuses and we won’t have to apologize, since we will be more secure - it will be part of our fabric.
It is time to take a stand. It is time to make a difference. Comments are open, sound off!

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection | Print this post Print this post |

1 Comment »

  1. RonW said,

    August 31, 2006 @ 9:16 am

    You make great points.
    But you need to remember who pays for those magazines: the advertisers. They sell technology to fix problems. They don’t want to hear that you don’t really need all of the technology and should use what you alread have. (See Martin McKeay’s recent blog on “Using the tools you have” [http://www.computerworld.com/blogs/node/3318?source=NLT_VVR&nlid=37].) Vendors *use* those magazines to sell their technology. So of couse the artciles are going to be focused on technical solutions.
    Also, security is a journey not a destination. We will never reach “secure.” The idea is not to become secure, but to understand and balance the risks to your organization. Business’s take risks every day. It’s a necessity of doing business. The key is to identify, assess, analyze and make cognizant decisions on those risks.
    There is one point in the eWeek article where I agree: Rapkin’s comment on the “Culture of Society.” We often secure the wrong things in the wrong way. Plus those responsible are rarely given the authority to make necessary changes to properly protect the organization. Information security continues to be buried in IT…
    Stay tuned for more one this point in a future blog.

RSS feed for comments on this post · TrackBack URI

Leave a Comment

You must be logged in to post a comment.