http://www.computerworld.com/cwi/story/0,1199,NAV47_STO64314,00.html THORNTON MAY October 01, 2001 A longtime editor of Scientific American recalls meeting a famous movie critic. After introducing themselves, the movie critic said she knew "absolutely nothing" about science. The editor responded, "Whatever became of the idea that an educated person is supposed to know a little something about everything?" It has become common knowledge that all stakeholders in the enterprise should "know a little something" about information security and privacy. The first two questions toward making our systems secure are, "How much do executives really need to know?" and, "How many companies have developed a 'curriculum' detailing what specific business leaders, in specific business roles, need to know?" In conjunction with scholars at Arizona State University's College of Business, Guardent recently conducted a survey of 120 top-level executives. It turns out that less than 10% have or manage a security or privacy curriculum geared toward different information-handling responsibilities. Security professionals insist that better education of business executives is needed. They're right, but while they think they should be the teachers, they really should be the students first. At first glance, writing down what must be known about security and privacy and who needs to know it appears to be pretty basic. But security and privacy professionals appear unable to put the security and privacy to-dos in the proper context for people who manage sensitive information. Why? Security people have never been known to distinguish themselves with dazzling feats of writing. Dostoevski and Tolstoy were pithy compared with contemporary security and privacy policy writers. So, the first lesson at security school should be basic writing skills. Then there's the "bedside manner" of security and privacy professionals. They tend to be very good at telling us what's wrong and what's broken, but most of them are mute when it comes to actually fixing the problem. Lesson two at security school: how to play constructively with others. Security experts have to stop being judge/jury/ cop and start being therapist/counselor/creative problem-solver. Most security professionals would benefit from a bit of advice from journalists in the do's and don'ts of telling a good story. Executives of the future won't tolerate messages that aren't highly relevant to them and will filter them out. So, lesson three is storytelling. Assuming that the security curriculum has been created and taught, the third question becomes, "Has the organization tested various audiences against that curriculum?" Again, we find that less than 10% do so. The all-important final exam question is, "When executives know what they need to know, does that knowledge change their behavior?" We asked the 120 executives, "Do you think it will be best for the future of your company if senior executives like you played a more active role in designing and implementing information security and privacy programs?" Ninety-one percent answered yes. Three months later, we returned to that 91% and asked, "Have you become more active in designing and implementing information security and privacy programs?" Ninety-five percent said no. Executives endorse the theory and concept of security and privacy, but they don't walk the walk. What this tells us is that most companies' information security organizations wouldn't receive passing grades in trying to upgrade enterprise awareness of what each employee needs to know and do to render their systems and the data housed in them secure. Thornton May is corporate futurist and chief awareness officer at Guardent Inc. in Waltham, Mass. Contact him at thornton.mayat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 07:52:52 PDT