Tuesday, March 04, 2008

Not worried about information leakage?

You (link 1) should (link 2) be (link 3).

(Disclosure: I work for a data security infrastructure software vendor - but these are my thoughts and not those of my employer.)

I often talk to organisations about the fact that employees aren't trying to violate security policies. They just don't know what the right thing to do is. In other words, it's about education as much as it is about technology.

If you followed the links above, there's another thing to consider. The altruistic tendencies of human beings. I'm all for free speech and the right for the public to know when unjust or unethical factors are at play. But this is all subjective. Taking a look at information control within organisations from this point of view, you're going to have employees who are doing the wrong thing knowingly but have a greater good in mind.

If I put myself in the shoes of the information security department (the executive board will probably share this view), I don't want anything getting out...especially if it damages the organisation. That includes cases where it can be argued that it's for the greater good. Why? Because people are just doing their job (consider why people work for tobacco companies or gambling organisations). People are also entitled to their own opinions. It is this subjective view that may be prone to error. Regardless of whether the person is right or wrong about the facts, if they happen to violate security policies even if they think it's the right thing to do, they should be stopped. That's why security policies are there in the first place. It may be determined at a later date that the policy is wrong, but that's the fault of the person who created the policy, not the whole security process or the controls in place. Security is there for a reason and it should be enforced.

I realise there is a very fine line here. If something an organisation does is plain wrong, we should all know about it. But at the other end of the scale, if we promote rumour and innuendo, the damage to an organisation may ultimately lead to its downfall.

Security can get rather philosophical at times and I'll be heading that way if I don't stop right here. We should all decide for ourselves what is right and wrong. I'm just pointing out another factor to consider when trying to secure your organisation's information.

No comments: