Gartner Blog Network

Security is personal and professional more than technical

by Mark P. McDonald  |  February 17, 2012  |  2 Comments

I don’t blog a lot about security.  I leave that to the security experts like John Pescatore and others.  But recently in the last three weeks security has become a question raised by CIOs and business leaders.

Security is a big issue related to technology given recent security lapses at high profile companies and ongoing concerns with the cloud.  The consistent disclosure of hacked accounts, security breaches and sites shut down.  Each story makes news because risk, threat, loss attracts attention and attention makes money.

Media and management attention relative to security can easily take our focus off of the things that are important, which is how we move forward, how we improve, how we increase the integrity of the future.  Business leaders, media and legislators are pursuing only part of the issue when they ask, “Can this happen to us?”  The answer to that question is always, possibly yes.  Someone who says no – never is either misinformed or misinforming you.

Media attentions regarding security issues are framed in the light of technology.  It is technology that is not secure.  It is technology’s responsibility alone to resolve the issue.   Both are incorrect assumptions.

Technology is only part of a security issue.  People are a major part as well, and a part that is not brought up in the media.  This is not one of those ‘don’t blame the guns because people kill people’ arguments.  Technology is important in creating access and the integrity of that access and investments in creating more security; higher integrity and greater capability based on technology are essential.  But we cannot leave people out of the picture.

Organizations that see security as a technical issue are setting themselves on a path of continuous risk and vulnerability to security breaches and their consequences.  Any company who lets an employee off the hook with the excuse that

‘The technology let me do it.  If it was wrong, then the system should have stopped me’

They get exactly what they deserve.  No amount to technology, no matter how clever, comprehensive or capable will keep the wrong people out of the system or people from doing the wrong things within the system.

We need to review and re-allocate concern, attention and policies in terms of how it relates to security.  Continued investments to make systems more secure, improve authentication, raise integrity, enhance detection, etc. are all important and critical.  But we need to add to that.  We need to make enforcing security policy a priority within our company, a consideration in who we work with as suppliers and a concern when dealing with new customers or new customer behaviors.

Security is an asymmetric game from a technical perspective where the attackers will always have the advantage.  They have the advantage because there are always more attackers who collectively have more resources than the single company seeking to thwart their attempts.  Yes each attacker may be small, but that is not always the case given recent stories regarding attacks on email systems.

The only way a company can start to address the imbalance is to change the game from many attackers against a single company, to many attackers against every person in the company.  Mobilizing and reminding your people about their role in security is not a technical issue.  It is a personal and professional issue.

Management has to set up to the security issue and take back their responsibility for the integrity of their people, information and systems.  In too many organizations I get the sense that security has been relegated / delegated to technology alone and that is a huge mistake.  Organizations may want to consider the following suggestions:

  • Re-visit their policies and professional practices with regard to security, integrity and handling company information.  If you have clearer rules regarding the misappropriation of money or violating your travel policy than you do about handling your company’s information, then you need reform.
  • Re-deploy all of your policies, including the ones related to information and technology security.  Too often people assume that everyone knows the rules, that behaviors and norms are so evident that they do no require communication.  Ask yourself what has been the turnover in your organization, not just people leaving, but reorganization, restructuring etc.  We all need to be reminded of what being a professional means in our companies and assuming we know means that the company is willing to accept the lowest common denominator.
  • Increase the responsibility and accountability of HR in these matters.  After all they are the primary function responsible for personal and professional behavior in the organization.  Policies and practices related to security and integrity are changing constantly and require active attention. For some reason, HR’s role in this regard has appeared to shrink in the face of other responsibilities.  Putting up posters is no answer and HR’s role needs to change otherwise what you say has no teeth.
  • Continue to invest in technology and efforts to address current and potential security issues.  This means that IT and CISO’s need to expand their view of security beyond preventing bad things from happening to finding new ways to make the right things possible.  Without a proactive and solution focused view, IT and CISO’s will always find their concerns in competition with business imperatives and economic realities.
  • Raise the responsibility of managers and management in regard to these issues.  Security issues will happen, but their cause, frequency, severity and your response should factor into executive and management evaluation, compensation and bonuses.  Suffering an attack is serious, but its also part of doing business.  Ignoring, creating or failing to respond to an attack is a different matter entirely.  If your company has fired the CIO for a security breach, then it has taken a partial response at best.

These suggestions revolve around raising awareness and attention on the personal and professional aspects of keeping your company, its customers and information secure.  Applying them to create a ‘police state’ within your company is counterproductive, particularly given the level of collaboration required by modern business.   These suggestions see to do more than creating additional external controls or more watchers to watch the watchers, etc.

These suggestions seek to tap into the internal compass that we all have about what is right and what is wrong.  Too often that compass becomes compromised in the pressure to get results, the absence of re-enforcement, corporate culture neglect or simple ignorance of the evolving security picture to keep up.

Modern business demands new levels of innovation, collaboration, creativity, and agility.  These are characteristics of strategic and comparative advantage.   Each requires a level of personal, professional, and technical integrity.  Taken together, those requirements multiply.  It is foolish to think that technology alone can meet these requirements, making security a personal and professional concern and one that requires at least as much attention as your technology.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: cio  leadership  management  personal-observation  technology  

Tags: business-management  it-management  security-and-risk-management  technology  

Mark McDonald
VP Analyst
12 years at Gartner
33 years IT Industry

Mark McDonald, Ph.D., is a Vice President and Fellow Emeritus in Gartner for General Managers Program. Read Full Bio

Thoughts on Security is personal and professional more than technical

  1. I do agree that finding a balance between appropriate levels of IT security and not stifling employees to the point of unproductivity, is a difficult to track moving target. However, one cannot deny the role IT plays in driving business process. As such, IT security has some responsibility for guiding its users to proper business conduct.

    Like the automobile, drivers need very little understanding in how a car actually works, in order to drive one. And cars these days have become highly complex pieces of machinery. It’s up to the computer to ensure that all of the systems within the car make every reasonable effort to ensure they’re operating within normal level.

    Not all data losses or breaches are the result of intentional or malicious behavior. Sometimes employees send sensitive company data to the wrong email recipient. Sometimes a USB flash drive gets lost. Sometimes that old FTP account doesn’t get deprovisioned. Of course, there are cases of deliberate intent, like that terminated employee who made a copy of the customer list before going.

    IT security has its low-hanging fruit. The system administrator can easily employ things like enforcing the use of strong passwords. The network team can reasonably restrict which ports can be used. The DBAs can limit which users can access mission-critical databases. These are all things the IT organization can readily do, with a minimal of determent to workers’ productivity.

    In the spirit of an agile workplace, IT security can keep a laxed attitude on access controls, while keeping a close eye on audit logs. There are many tools that can help IT professionals identify technology abuse, target high-risk users or process. If undesirable behavior is found, then the necessary steps can be taken for rectification. However, IT needs to have the necessary technology for obtaining this sort of visibility.

    In highly-regulated businesses, then the IT organization needs to be more proactive, rather than reactive. General rules, based upon file content, can be used to prevent data loss. For example, things classed as PCI data should be sent to only white listed recipients. Likewise, only certain recipients should be allowed to obtain files with PII like social security numbers. These assertive IT practices can help keep a business compliant, without being overly bearing on its employees.

    SEEBURGER has many solutions that can help businesses find the right balance between IT security and employee productivity. It provides users better alternatives for moving and accessing data. SEEBURGER offers businesses proven IT processes that can leveraged out of box. The solution set has a centralized dashboard that gives IT operators a single point of visibility and management.

  2. […] McDonald wrote a great post on his GartnerGroup blog about security that you must read: Security is personal and professional more than technical.  The money quote for me is: Security is an asymmetric game from a technical perspective where the […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.