How To Make Information Security Everyone's Problem - InformationWeek
IT Leadership // IT Strategy
04:49 PM
Connect Directly
Out of the Black Box: Selling Security to your C-suite
Jul 20, 2017
To maximize the return on cloud security investments, CISOs need a seat at the table. Unfortunatel ...Read More>>

How To Make Information Security Everyone's Problem

Use self-interest and propaganda to change employees' attitudes about endpoint security.

There are two types of employees you really have to watch out for. Security professionals know all too well about rogue users--the ones who ignore or actively subvert security controls. These people aren't out to steal information or cause damage, but they do believe security controls are inconvenient, slow down their devices, and interrupt their workflow. They bypass security processes and procedures, and introduce massive risk to the organization.

It can be difficult to rein in rogue employees because they don't report to you, often business leaders won't listen, and you or someone above you may need to spend valuable political capital to take care of the problem.

Think you can address rogue behavior simply through new tech controls? Think again. The physical control of the workstation that users have trumps anything you can dish out. Many years of experience have taught me that management, not technology, must solve this problem.

Also watch out for the clueless. They, too, can cripple your organization's security posture. These folks read the email from "The SysAdmin Desk" saying, "You have exceeded your email quota," and dutifully go to Google Docs and provide user names, passwords, network IDs, and birth dates, without even questioning who this SysAdmin actually is and whether this problem is real.

Don't laugh. If you haven't run a password-phishing fire drill at your company, try it--but get ready to be surprised. The "take rate" for a malicious phishing expedition (that is, the percentage of employees who get fooled) typically runs at least 30% for random attacks and higher for directed attacks. Security consultant and InformationWeek contributor Michael A. Davis says targeted phishing fire drills he's run sometimes net nearly 60% of the organization.

IT's answer to this is usually training and more training. And training is certainly a piece of the solution. The harder and more important part, though, is getting employees to take info security seriously in the first place. You want them to consider infosec to be as important as their personal safety in the parking lot because they understand the threat.

The people who get fooled by phishers and other cyberscammers aren't idiots. They just haven't yet made the connection between their computing behavior and the organization's well-being.

You need them to make that connection, and you're more likely to get them to do that with positive steps than with punitive measures. Try the six steps we outlined on p. 1 of this story and see if they get you closer to a security-aware workforce.

Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina. Write to him at or at @_jfeldman.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/29/2012 | 6:36:06 PM
re: How To Make Information Security Everyone's Problem
Best comment ever: "A lot of IT security, if we are honest, is like putting your head under your desk in the case of a nuclear attack."
User Rank: Apprentice
3/28/2012 | 12:32:42 AM
re: How To Make Information Security Everyone's Problem
I think the cure is often, not always, worse than the disease in the case of IT security. Installing anti-virus software on PCs for instance. Good thing you have that anti-virus software on your PC, otherwise someone could install software that slows down your system and puts annoying pop-ups all over the place... which is exactly what the anti-virus software itself does to your system.

Think about the collective amount of time and money (money in form of productivity) that goes into something like 60-90 day password changes. It has to be in the billions across all companies. Not to mention that people need to store their passwords somewhere, like on a post it note, so they don't forget their many, constantly changing passwords... which, again, is more of a security vulnerability than not requiring forced changes in the first place.

I am not saying that people should drop IT security altogether, just that they should stop treating every end-point as if there is an army of hackers bound and determined to crack it. Often times people implement the most elaborate IT security measures under the sun to protect data which isn't of particular value to anyone.

A lot of IT security, if we are honest, is like putting your head under your desk in the case of a nuclear attack. If a talented hacker wants into, for instance, a Windows network, you are not going to be able to stop them regardless of your security standards.
User Rank: Apprentice
3/27/2012 | 4:18:09 AM
re: How To Make Information Security Everyone's Problem
"Human vulnerabilities--ignorance, inattention, gullibility--are just as exploitable as software vulnerabilities, if not more so." -- Very true.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll