Integrity begins within: Security pros lead by example
Computerworld - I recently learned that an acquaintance of mine did something dishonest in the name of information security, apparently in order to preserve or advance his own career. Stu (not his real name) acquired his former employer's complete disaster recovery plan in electronic form. At his new place of employment, Stu took that document and changed the headers and footers and some other details and then presented it as his own work.
Later, executives from Stu's current and former employers attended a business meeting. The purpose of the meeting, as I understand it, was a discussion on disaster recovery, kind of a "show me yours and I'll show you mine" exchange. (Stu's current and former employers are in the same industry.) The executives from the two companies were shocked when they discovered that their disaster recovery plans were virtually identical. The disaster recovery director at Stu's former employer recognized the other company's plan as his own.
Hearing this story reminded me of a critical fact: In business and information security -- and closely related disciplines such as business continuity and disaster recovery planning -- we lead by example.
In my columns, I usually speak to "you" in the second person. But on this topic, I will speak to "we" in the first-person plural. I want to make sure that you understand that what I'm saying applies not only to you, but also to me.
Do as we say, and as we do
In information security, we strive to improve the integrity, reliability and control of information systems, business processes and the people in the organization. Through policy and security awareness, we want the people we work with to act with good judgment and integrity.
Some of us are responsible for creating and enforcing security policies that apply to everyone in the organization. Whether we like it or not, we are role models. If, by our behavior, we are strict about conforming to security policy, then those who observe us are more likely to do the same. If, on the other hand, we act as though we're above the law, especially our own law, how can we expect others to be serious about conforming to it?
Truth in, truth out
Here's a simple and reliable definition:
Truth: factual representation of things that are; factual representation of events.
This has everything to do with information security. We expect applications to record, calculate, store and report events and information accurately. Truth in, truth out. We expect these events to be verifiable via audit logs so that the truth can be ascertained later if needed.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts