Information security's little secret: a security professional's plea to managers and executives

San Diego Business Journal, Dec 4, 2006 by Christopher Vera

The protection of organizations' information is expected by customers, demanded by stockholders, searched by auditors and is enforced by the law.

IT staff, auditors and every vendor with the word "security" bolted to their name have probably been hammering organizations with words such as firewalls, encryption, Sarbanes-Oxley, California Privacy, over and over again.

However, a little secret is that not all the technology in the world, nor all the highest paid security consultants, can save organizations from the weakest link in the security chain. Essentially, it is people who can secure it. Some use weak passwords, or write them down on sticky notes. Others send confidential information through the Internet as if it were magically unreadable except by the recipient. Others visit every Web site e-mailed to them, whether they know the sender or not. Every one of these types, small, often unnoticed occurrences, add up to one huge liability.

It is not that employees intend to do wrong. The problem is that they are doing what was asked of them. They are prioritizing their work exactly as they perceive the employer wants them to. Unfortunately, protecting information is generally at the bottom of those priorities, that is if it makes the list at all.

Thus, another word to add to the security lexicon is security awareness, "influencing or modifying a person's behavior or organization's culture to be more security-sensitive." Vibrant security awareness is more than just PowerPoint presentations or Web-based trainings on strong passwords and security policies. These things by themselves will never change an organization's culture because they lack a critical ingredient: The ability to set priority.

That is where the organization comes in. If war is too important to be left to generals, then information security risk is too important to be left to security professionals alone. Information security can be delegated, risk cannot.

Security awareness begins with understanding one's surroundings. For example, how an organization protects, or fails to protect, its information, the threats to the business and how to mitigate them at a reasonable cost.

Organizations don't have to rely on Google or security vendors alone for help. San Diego harbors a group of professionals who live and breathe to share their security knowledge and experience.

The mission of the San Diego chapter of the Information Systems Security Association (ISSA) is to help promote practices that ensure the confidentiality, integrity and availability of organizations' information. The organization allows others to meet with other professionals facing the same information security problems. Membership is not required, although it has its privileges.

Christopher Vera, GCFA, CISSP, is the deputy directory of education for Information Systems Security Association, San Diego chapter. For more information, please visit www.sdissa.org.