How To Make Information Security Everyone's Problem

Use self-interest and propaganda to change employees' attitudes about endpoint security.

Jonathan Feldman, CIO, City of Asheville, NC

March 22, 2012

2 Min Read

There are two types of employees you really have to watch out for. Security professionals know all too well about rogue users--the ones who ignore or actively subvert security controls. These people aren't out to steal information or cause damage, but they do believe security controls are inconvenient, slow down their devices, and interrupt their workflow. They bypass security processes and procedures, and introduce massive risk to the organization.

It can be difficult to rein in rogue employees because they don't report to you, often business leaders won't listen, and you or someone above you may need to spend valuable political capital to take care of the problem.

Think you can address rogue behavior simply through new tech controls? Think again. The physical control of the workstation that users have trumps anything you can dish out. Many years of experience have taught me that management, not technology, must solve this problem.

Also watch out for the clueless. They, too, can cripple your organization's security posture. These folks read the email from "The SysAdmin Desk" saying, "You have exceeded your email quota," and dutifully go to Google Docs and provide user names, passwords, network IDs, and birth dates, without even questioning who this SysAdmin actually is and whether this problem is real.

Don't laugh. If you haven't run a password-phishing fire drill at your company, try it--but get ready to be surprised. The "take rate" for a malicious phishing expedition (that is, the percentage of employees who get fooled) typically runs at least 30% for random attacks and higher for directed attacks. Security consultant and InformationWeek contributor Michael A. Davis says targeted phishing fire drills he's run sometimes net nearly 60% of the organization.

IT's answer to this is usually training and more training. And training is certainly a piece of the solution. The harder and more important part, though, is getting employees to take info security seriously in the first place. You want them to consider infosec to be as important as their personal safety in the parking lot because they understand the threat.

The people who get fooled by phishers and other cyberscammers aren't idiots. They just haven't yet made the connection between their computing behavior and the organization's well-being.

You need them to make that connection, and you're more likely to get them to do that with positive steps than with punitive measures. Try the six steps we outlined on p. 1 of this story and see if they get you closer to a security-aware workforce.

Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina. Write to him at [email protected] or at @_jfeldman.

About the Author(s)

Jonathan Feldman

CIO, City of Asheville, NC

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human resources management. Asheville is a rapidly growing and popular city; it has been named a Fodor top travel destination, and is the site of many new breweries, including New Belgium's east coast expansion. During Jonathan's leadership, the City has been recognized nationally and internationally (including the International Economic Development Council New Media, Government Innovation Grant, and the GMIS Best Practices awards) for improving services to citizens and reducing expenses through new practices and technology.  He is active in the IT, startup and open data communities, was named a "Top 100 CIO to follow" by the Huffington Post, and is a co-author of Code For America's book, Beyond Transparency. Learn more about Jonathan at

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights