Folks on the list have hit on most of the essential elements of getting problems at an agency like Oregon Department of Human Services fixed. Policies need to be put in place. Management "buy-in" or stronger and more focused management leadership needs to be developed to make Infosec a priority. Getting over the fears of the developers and or productions folks to being "locked down" and kept from providing services and "doing their work". The key element that hasn't been brought up is the role of the information security professional in either the State government or at the individual department position. As professionals, we have to get over the huge hump of being perceived as the people who say "No, you can't do that". We're also seen as the people who jump to point out the problems and deficiencies in an organization. Until we successfully smash those concepts and help educate companies or organizations as whole, we'll keep seeing articles such as these in the press. Indeed, we'll keep seeing compromises that could have easily been averted by adherence to simple practices. I am not saying all problems would be solved; we're just picking at low hanging fruit. Towards this end, the information security professional needs to develop an understanding of how an organization's business works. They then need to balance this understanding with the risks from both the technology side and the business practice side. These risks and the steps needed to mitigate them then need to be translated into pointy haired manager speak and put into terms that are directly relevant to the business or organization. Developers need to be shown how their programs and environments could work better and more securely with changes in their development life cycles. Managers need to be shown the cost-benefit or potential loss breakdowns of their security holes and shown Return on Investment spreadsheets. The organizations' or companies lawyers need to be given an understanding of the risks. They'll put a fire under someone's butt. Time and time again, I hear information security personnel get a bad rap because we're seen as these roadblocks to doing business and getting stuff done. Unfortunately, the stuff I am talking about isn't the glorious or sexy side of Infosec. It's not entirely the tech side or investigative side. But it's a critical part of Infosec that I think a lot of us are not giving enough thought. To this end, the information security community of Oregon has the responsibility to educate the state leadership to bring about a shift in their perceptions. We should, however work on ourselves to become people who help businesses, organizations, or non-profits to do their work securely and not just people who lock stuff down and point out deficiencies. As an aside, perhaps the state government should create and information security oversight tzar. Someone who would help drive Information Security practice downwards from the top. -Esteban Gutierrez T. Kenji Sugahara wrote: > What's needed is buy-in from the Governor on down. (e.g. a > fundamental shift in thinking). > > Each agency head needs to understand the costs and benefits of > security. They need to be advised of the cost of computer insecurity. > > Risk management needs to be all over this issue. Identity thieves > have already been caught with copies of DMV records on CD. What's > next? Each breach could cost the state millions with ensuing litigation. > > Would people on this list be willing to put their names on a piece of > paper that says we need to make security a priority in Oregon government? > > > >
This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 10:31:46 PDT