Thornton A. May: Can infosec cure stupid?

Is the world digitizing faster than we can handle it? As a very frequent flier (I'm on a plane about 280 days a year), I find that on just about any flight (you name the continent), in just about every row, passengers of every generation are actively engaged with a vast variety of digital apparatuses to either increase stimuli (music, video, e-books), reduce stimuli (the blessed Bose noise-canceling earphones), buy or sell something, or get work done.

But despite the ubiquity of the devices, hardly any of these people understand how all this gear works, where all the data that makes this magic happen comes from, how to fix things when they break and the implications of our technology usage behaviors on information security and privacy. This is the bomb that's ticking away in every infosec manager's nightmare: user ignorance. The question facing not just chief information security officers but all of us is, "How do we fix stupid?"

My colleagues in academia and my handlers at Computerworld quite rightly counsel me not to throw around the word stupid in print or online. Sometimes, though, no other word suffices. What other term can be applied to the employees and contractors at the Pentagon's Missile Defense Agency (MDA) who were "chided for using government computers to surf porn"?

Unlike employees of the MDA, most of us don't play a major role in this nation's ground- and sea-based missile defense programs. But our stupidity can nonetheless threaten our companies' security, if not the nation's. Take BYOD. Most often we focus on the "D," meaning the device, but we'd do well to give some regard to the "B" of "bring." Yes, users have a panting-dog desire to bring the device of their dreams with them wherever they go, but a surprisingly large number of them occasionally leave their devices behind. According to a report from the Ponemon Institute, "Airport Insecurity: The Case of Lost Laptops," up to 600,000 laptops are left behind in America's airports every year. In New York City alone, in the early days of the smartphone revolution, busy folk left 31,544 phones in cabs during one six-month period. Do we even need to talk about the number of USB drives left with dry cleaners?

As stupid as all of that sounds, it's not the kind of stupidity I'm really worried about. My deep concern is the systemic stupidity that arises from the fact that only a tiny fraction of the people living in this technologically complex world actually understand how any of this stuff works.

Personally, I acknowledge that I have been guilty of this kind of stupidity. But having recognized that I am not the sharpest knife in the drawer, I try to identify the sharp knives of my acquaintance and ask them how to hone my edge. The first step on the path out of stupidity and toward information security is to create an infosec brain trust: a group of people who are strategically, operationally and technically aware, and who are willing to answer your questions. Questions like, "Does this seem stupid to you?"

My brain trust consists of Dennis Devlin, of Information Security and Compliance Services at George Washington University; Malcolm Harkins, CISO and general manager of information risk and security at Intel; Eddie Schwartz, CISO at RSA; Steve Collignon, CISO at EIT Shared Services/ES Cardinal Health; and Peter Zuong, CISO at Ericsson.

Who are your go-to infosec "smarties," and what are they telling you? I'd love to compare notes.

Thornton A. May is author of The New Know: Innovation Powered by Analytics and executive director of the IT Leadership Academy at Florida State College in Jacksonville. You can contact him at or follow him on Twitter (@deanitla).

Copyright © 2012 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon