I recently learned that an acquaintance of mine did something dishonest in the name of information security, apparently in order to preserve or advance his own career. Stu (not his real name) acquired his former employer’s complete disaster recovery plan in electronic form. At his new place of employment, Stu took that document and changed the headers and footers and some other details and then presented it as his own work.
Later, executives from Stu’s current and former employers attended a business meeting. The purpose of the meeting, as I understand it, was a discussion on disaster recovery, kind of a “show me yours and I’ll show you mine” exchange. (Stu’s current and former employers are in the same industry.) The executives from the two companies were shocked when they discovered that their disaster recovery plans were virtually identical. The disaster recovery director at Stu’s former employer recognized the other company’s plan as his own.
Hearing this story reminded me of a critical fact: In business and information security — and closely related disciplines such as business continuity and disaster recovery planning — we lead by example.
In my columns, I usually speak to “you” in the second person. But on this topic, I will speak to “we” in the first-person plural. I want to make sure that you understand that what I’m saying applies not only to you, but also to me.
Do as we say, and as we do
In information security, we strive to improve the integrity, reliability and control of information systems, business processes and the people in the organization. Through policy and security awareness, we want the people we work with to act with good judgment and integrity.
Some of us are responsible for creating and enforcing security policies that apply to everyone in the organization. Whether we like it or not, we are role models. If, by our behavior, we are strict about conforming to security policy, then those who observe us are more likely to do the same. If, on the other hand, we act as though we’re above the law, especially our own law, how can we expect others to be serious about conforming to it?
Truth in, truth out
Here’s a simple and reliable definition:
Truth: factual representation of things that are; factual representation of events.
This has everything to do with information security. We expect applications to record, calculate, store and report events and information accurately. Truth in, truth out.
We expect these events to be verifiable via audit logs so that the truth can be ascertained later if needed.
We need truth and transparency in our networks, computers and applications. Those personnel with a need to know must fully understand how their infrastructure functions and how it’s operated and managed.
Correspondingly, truth and integrity are required of us. Whatever we do, we must operate within the law, not above it. The reasons for our decisions should be knowable and known. We must act with the same high level of integrity that we expect of others.
Examples of examples
Let me suggest a number of ways in which we, who are in positions of authority in information security, can lead by example. First, we shouldn’t have special access privileges that we don’t need to do our jobs. Whether this includes access controls to file servers, e-mail quotas or Internet access, we should live by the same restrictions as our colleagues.
Next, if we prescribe that employees need to be restricted on the functions they can perform on their workstations, then we should live by the same set of rules.
Certainly, there are exceptions to the rules that are sometimes required to keep the business humming. If other employees are required to apply for an exception for whatever access or privileges they need, then we ought to be subject to the same approval process to get what we need.
We must live by the same checks and balances that we expect of our peers. How else will we gain their respect? How else can we expect them to live by the rules of the game if we’re permitted to take shortcuts?
A journey for all
We frequently tell our colleagues that security is a journey. I’ve heard many in our profession make this pronouncement in a way that implies that they’ve completed the journey that their colleagues have yet to make. Every IT professional needs to recognize that each of us begins the journey but never ends it. This is because the security journey is not only a journey of knowledge and proficiency, but also one of personal integrity. And each of us, being imperfect beings, may approach — but never reach — perfection.
Positions of responsibility and authority in information security require far more than knowledge and experience. To be truly effective, character and personal integrity are required. In everything we do, we must lead by example. Everything we require of other employees we must do ourselves. Success demands it.