The greatest threats come from within
John Roig, CIO, Family Central
The greatest threats do not come from outside the organization. I am not by any means suggesting that we shirk our responsibilities by ignoring or even diminishing the possibility of hacked web sites, intercepted communications or remote intrusions. Yet in reviewing the eye-popping headlines responsible for sleep deprivation amongst IT managers, the inescapable conclusion is that most data ‘breaches’ are nothing of the sort. The violators are most often formerly-trusted coworkers and confidants who for reasons far beyond the scope and responsibilities of IT management have succeeded in causing troubles of a nature that is palpably transparent to everyone in the organization – and to many on the outside as well. And that indeed is the responsibility of IT management.
Most IT shops are stocked full of individuals keenly attuned to the latest gadgets and devices that attracted the individuals to the market in the first place. This enthusiasm should not be discouraged in any way; as from the margins often come the sharpest lines. Yet it is the responsibility of IT management to take a wide-angle view of the organization, placing the technical innovations and advancements squarely in the service of the organization, the organization’s business and most importantly the organization’s human components. For the overwhelming majority of organizations, the people are the primary engines of productive activity and in the case of security breaches amongst other things – the genesis of data and security calamities. In our quest to provide proper data and systems security, IT management too often overlooks the human element for what it is: oversights of which result in Sisyphean impossibilities of shoe-horning round human pegs into squared technical silos.
For even adequate enterprise security, IT management must provide solutions that engage, on an equal-footing, other organizational departments and divisions. These include back-office functions such as accounting and human resources, as well as front-line operational areas involved in generating the activity that sustains the enterprise’s existence. IT may very well be the only department capable of breaching siloed interests – and can do so with technology applicable to most if not all areas. However, the tools by themselves are simply incapable of penetrating the recesses of ingrained human interests, let alone human behavior. Without mutually-agreed, documented and auditable enterprise-wide policies and procedures that closely mirror the expected and verifiable activity of organization’s human activities, future security breaches, data or otherwise, are only a matter of time. No IT-sponsored tools will alter the behavioral danger in and of itself. IT must bring its tools and inter-departmental organizational capacities to the shared company table and recognize, from the onset, the need to place those tools in the service of objectives that can only be met with adherence to a world greater than our own; a world larger and infinitely more complex than the tools and apparatuses that so enthrall us. IT has an unquestioningly critical and perhaps underpinning role to play. But without placing those tools in the service of a world consisting of people and product, we are condemned to suffer other inglorious repeats of security breaches and uncomfortable lines of inquiries – with ruinous consequences for ourselves and many others. It is our duty to work with, work for and to understand our non-technical colleagues and peers on their grounds – not bring them to ours. We cannot alter history – but we can be a force for a more restful future.
History doesn’t repeat itself…it just seems to rhyme a lot – Mark Twain inspiration