Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

Dogs, pocket knives, and laptops

by Jay Heiser  |  February 9, 2011  |  1 Comment

I’ve lost a string of pocket knives over my lifetime, some of them very nice, but I’ve got no idea who, if anybody, is finding them.  I did find a pocket knife once, but it was a cheap Swiss Army knockoff, and I didn’t keep it. My turnover ratio is barely -6.

Dogs are not currently a part of my daily life, but I’m fond of them and enjoy the companionship and entertainment value.  Unfortunately, dogs are only  good for about a decade, and even less if get one those pricey purebreds that have the genetic robustness of a Saxe-Coburg.

Like dogs and pocket knives, you can’t expect a single laptop to last your entire lifetime.  I’ve had 1 laptop stolen from my house, and 1 stolen from my office. I’ve never found one, so my laptop turnover ratio is -2.

In spite of the fact that laptops are so slippery, I’m still seeing corporate and government policies that require employees to maintain physical possession of their laptop at all times. Is a laptop really safer sitting next to you in a restaurant than it would be back in your hotel room? I have yet to encounter a company that issues watertight laptop cases to enable their travelling employees for the shower or spa, so I have to question how seriously anybody takes these policies. They are yet another form of “we won’t help you do the right thing, but if you do not do it, we reserve the right to punish you” policy.  This is not conducive to cultural change, it does not encourage cooperation with IT or the infosec function, it is counterproductive. Period.

Anybody with a role important enough to be issued a laptop is almost certainly putting sensitive data on that laptop. Encrypt it. Its time for full hard drive encryption to be considered a standard practice.  If this is not acceptable, and you still need to provide employees with remote access, then figure out some secure way to access the necessary applications from kiosks and home PCs.  If this is not acceptable, then give up.  Telling people not to lose their laptops is a non-starter.

Writing policies that forbid the inevitable is a waste of everyone’s time. If your data is important to your organization, and your employees need to access it when they are outside your facility, you need to pay for data protection technology.

1 Comment »

Category: IT Governance security     Tags: , , ,

1 response so far ↓