16 Aug 2007

The Wall Street Journal Followup

Since my posting on the 7th, the Wall Street Journal has posted a follow-up article here

It is by the same author who obviously was not aware of my post because she gets most of it wrong again. She chose to ignore Andy's input too. I found out about this follow-up from his Blog,thank you Andy.

My original post basically pointed out the main problem in her article which is that the Information Security policies that she is showing how to bypass are not made up by IT but by the security department. More to the point, they are signed off by upper management and by breaking them you can get into serious trouble with the Boss. Failing that the Boss himself may get into serious trouble with the law.

The author writes in this article about how "IT workers said they get blamed both by employees who feel too restricted and by company executives who, when things go wrong, fume that policies must not have been restrictive enough."

At the end of the day its not the It Guys who should be enforcing security, they have enough on their plates. It is business people themselves who should be enforcing the rules.

The IT department is usually the least respected department, it hires young people who don't know the art of dealing with people, especially those in upper management. More importantly - they are enablers. They fix things and make things work and that is how they are rated. They are also clueless (or they should be anyhow) about what information is important anyhow.

What about the fools in the Information Security department I hear you ask. They are there to make sure that Information Security is done, yes. But, at the end of the day neither them nor the IT guys will be in big trouble if Information is lost or leaked. Or wrong decisions are made using altered documents. It will be Business that pays. So, why have these lazy Information Security guys around in the first place? Really, its to inform the business people and to help them with implementing security.

If your staff are knowingly breaking rules that you have put in place... well... no Firewall, IDS or Antivirus or amazing CISSP is going to save your data.

I think that the WSJ has missed an opportunity to push the idea that Information Security is important and that the rules are there for a reason and that breaking them will not only upset the guys in IT but can make an employee lose the respect of his/her employers and possibly even his/her job.

Since my posting on the 7th, the Wall Street Journal has posted a follow-up article here

It is by the same author who obviously was not aware of my post because she gets most of it wrong again. She chose to ignore Andy's input too. I found out about this follow-up from his Blog,thank you Andy.

My original post basically pointed out the main problem in her article which is that the Information Security policies that she is showing how to bypass are not made up by IT but by the security department. More to the point, they are signed off by upper management and by breaking them you can get into serious trouble with the Boss. Failing that the Boss himself may get into serious trouble with the law.

The author writes in this article about how "IT workers said they get blamed both by employees who feel too restricted and by company executives who, when things go wrong, fume that policies must not have been restrictive enough."

At the end of the day its not the It Guys who should be enforcing security, they have enough on their plates. It is business people themselves who should be enforcing the rules.

The IT department is usually the least respected department, it hires young people who don't know the art of dealing with people, especially those in upper management. More importantly - they are enablers. They fix things and make things work and that is how they are rated. They are also clueless (or they should be anyhow) about what information is important anyhow.

What about the fools in the Information Security department I hear you ask. They are there to make sure that Information Security is done, yes. But, at the end of the day neither them nor the IT guys will be in big trouble if Information is lost or leaked. Or wrong decisions are made using altered documents. It will be Business that pays. So, why have these lazy Information Security guys around in the first place? Really, its to inform the business people and to help them with implementing security.

If your staff are knowingly breaking rules that you have put in place... well... no Firewall, IDS or Antivirus or amazing CISSP is going to save your data.

I think that the WSJ has missed an opportunity to push the idea that Information Security is important and that the rules are there for a reason and that breaking them will not only upset the guys in IT but can make an employee lose the respect of his/her employers and possibly even his/her job.