[ISN] Info Security 'Teachers' Need More Learning

From: InfoSec News (isnat_private)
Date: Tue Oct 02 2001 - 02:23:51 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - October 1st 2001"

    October 01, 2001 
    A longtime editor of Scientific American recalls meeting a famous
    movie critic. After introducing themselves, the movie critic said she
    knew "absolutely nothing" about science. The editor responded,
    "Whatever became of the idea that an educated person is supposed to
    know a little something about everything?"
    It has become common knowledge that all stakeholders in the enterprise
    should "know a little something" about information security and
    privacy. The first two questions toward making our systems secure are,
    "How much do executives really need to know?" and, "How many companies
    have developed a 'curriculum' detailing what specific business
    leaders, in specific business roles, need to know?" In conjunction
    with scholars at Arizona State University's College of Business,
    Guardent recently conducted a survey of 120 top-level executives. It
    turns out that less than 10% have or manage a security or privacy
    curriculum geared toward different information-handling
    Security professionals insist that better education of business
    executives is needed. They're right, but while they think they should
    be the teachers, they really should be the students first. At first
    glance, writing down what must be known about security and privacy and
    who needs to know it appears to be pretty basic. But security and
    privacy professionals appear unable to put the security and privacy
    to-dos in the proper context for people who manage sensitive
    information. Why? Security people have never been known to distinguish
    themselves with dazzling feats of writing. Dostoevski and Tolstoy were
    pithy compared with contemporary security and privacy policy writers.
    So, the first lesson at security school should be basic writing
    Then there's the "bedside manner" of security and privacy
    professionals. They tend to be very good at telling us what's wrong
    and what's broken, but most of them are mute when it comes to actually
    fixing the problem. Lesson two at security school: how to play
    constructively with others. Security experts have to stop being
    judge/jury/ cop and start being therapist/counselor/creative
    Most security professionals would benefit from a bit of advice from
    journalists in the do's and don'ts of telling a good story. Executives
    of the future won't tolerate messages that aren't highly relevant to
    them and will filter them out. So, lesson three is storytelling.
    Assuming that the security curriculum has been created and taught, the
    third question becomes, "Has the organization tested various audiences
    against that curriculum?" Again, we find that less than 10% do so.
    The all-important final exam question is, "When executives know what
    they need to know, does that knowledge change their behavior?" We
    asked the 120 executives, "Do you think it will be best for the future
    of your company if senior executives like you played a more active
    role in designing and implementing information security and privacy
    programs?" Ninety-one percent answered yes.
    Three months later, we returned to that 91% and asked, "Have you
    become more active in designing and implementing information security
    and privacy programs?" Ninety-five percent said no. Executives endorse
    the theory and concept of security and privacy, but they don't walk
    the walk.
    What this tells us is that most companies' information security
    organizations wouldn't receive passing grades in trying to upgrade
    enterprise awareness of what each employee needs to know and do to
    render their systems and the data housed in them secure.
    Thornton May is corporate futurist and chief awareness officer at
    Guardent Inc. in Waltham, Mass. Contact him at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 07:52:52 PDT