Info Security 'Teachers' Need More Learning

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO64314,00.html

THORNTON MAY
October 01, 2001 

A longtime editor of Scientific American recalls meeting a famous
movie critic. After introducing themselves, the movie critic said she
knew "absolutely nothing" about science. The editor responded,
"Whatever became of the idea that an educated person is supposed to
know a little something about everything?"

It has become common knowledge that all stakeholders in the enterprise
should "know a little something" about information security and
privacy. The first two questions toward making our systems secure are,
"How much do executives really need to know?" and, "How many companies
have developed a 'curriculum' detailing what specific business
leaders, in specific business roles, need to know?" In conjunction
with scholars at Arizona State University's College of Business,
Guardent recently conducted a survey of 120 top-level executives. It
turns out that less than 10% have or manage a security or privacy
curriculum geared toward different information-handling
responsibilities.

Security professionals insist that better education of business
executives is needed. They're right, but while they think they should
be the teachers, they really should be the students first. At first
glance, writing down what must be known about security and privacy and
who needs to know it appears to be pretty basic. But security and
privacy professionals appear unable to put the security and privacy
to-dos in the proper context for people who manage sensitive
information. Why? Security people have never been known to distinguish
themselves with dazzling feats of writing. Dostoevski and Tolstoy were
pithy compared with contemporary security and privacy policy writers.
So, the first lesson at security school should be basic writing
skills.

Then there's the "bedside manner" of security and privacy
professionals. They tend to be very good at telling us what's wrong
and what's broken, but most of them are mute when it comes to actually
fixing the problem. Lesson two at security school: how to play
constructively with others. Security experts have to stop being
judge/jury/ cop and start being therapist/counselor/creative
problem-solver.

Most security professionals would benefit from a bit of advice from
journalists in the do's and don'ts of telling a good story. Executives
of the future won't tolerate messages that aren't highly relevant to
them and will filter them out. So, lesson three is storytelling.

Assuming that the security curriculum has been created and taught, the
third question becomes, "Has the organization tested various audiences
against that curriculum?" Again, we find that less than 10% do so.

The all-important final exam question is, "When executives know what
they need to know, does that knowledge change their behavior?" We
asked the 120 executives, "Do you think it will be best for the future
of your company if senior executives like you played a more active
role in designing and implementing information security and privacy
programs?" Ninety-one percent answered yes.

Three months later, we returned to that 91% and asked, "Have you
become more active in designing and implementing information security
and privacy programs?" Ninety-five percent said no. Executives endorse
the theory and concept of security and privacy, but they don't walk
the walk.

What this tells us is that most companies' information security
organizations wouldn't receive passing grades in trying to upgrade
enterprise awareness of what each employee needs to know and do to
render their systems and the data housed in them secure.

Thornton May is corporate futurist and chief awareness officer at
Guardent Inc. in Waltham, Mass. Contact him at
thornton.may () guardent com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.