Integrity begins within: Security pros lead by example
Computerworld - I recently learned that an acquaintance of mine did something dishonest in the name of information security, apparently in order to preserve or advance his own career. Stu (not his real name) acquired his former employer's complete disaster recovery plan in electronic form. At his new place of employment, Stu took that document and changed the headers and footers and some other details and then presented it as his own work.
Later, executives from Stu's current and former employers attended a business meeting. The purpose of the meeting, as I understand it, was a discussion on disaster recovery, kind of a "show me yours and I'll show you mine" exchange. (Stu's current and former employers are in the same industry.) The executives from the two companies were shocked when they discovered that their disaster recovery plans were virtually identical. The disaster recovery director at Stu's former employer recognized the other company's plan as his own.
Hearing this story reminded me of a critical fact: In business and information security -- and closely related disciplines such as business continuity and disaster recovery planning -- we lead by example.
In my columns, I usually speak to "you" in the second person. But on this topic, I will speak to "we" in the first-person plural. I want to make sure that you understand that what I'm saying applies not only to you, but also to me.
Do as we say, and as we do
In information security, we strive to improve the integrity, reliability and control of information systems, business processes and the people in the organization. Through policy and security awareness, we want the people we work with to act with good judgment and integrity.
Some of us are responsible for creating and enforcing security policies that apply to everyone in the organization. Whether we like it or not, we are role models. If, by our behavior, we are strict about conforming to security policy, then those who observe us are more likely to do the same. If, on the other hand, we act as though we're above the law, especially our own law, how can we expect others to be serious about conforming to it?
Truth in, truth out
Here's a simple and reliable definition:
Truth: factual representation of things that are; factual representation of events.
This has everything to do with information security. We expect applications to record, calculate, store and report events and information accurately. Truth in, truth out. We expect these events to be verifiable via audit logs so that the truth can be ascertained later if needed.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!