Monday, 29 December 2008

Data loss, cock-ups and vested interests

I was recently involved in an on-line discussion about USB data security. The person with whom most of the initial discussion occurred favoured hardware solutions. The initial recommendation was for one that was well known to be cracked, and then entering in an arms race, proposing the extremely expensive IronKey (TM). I've written a set of recommendations on my consultancy blog.

The cock-up I would like to deal with here, is to do with managers and techies. The situation can be summed up as follows...
  • managers know little or nothing about computers and computer security.
  • techies have little or no respect for their non-technical managers.
  • the two sides speak a totally different language.
So how do these two groups manage to deal with computer security together in the work place?

What should they do...

I would suggest that they ought to:
  • get an external organisation to do a threat analysis and some penetration testing.
  • look at the results of this and act on them.
  • focus mainly on the human issues - training and good practice.
Why won't they...

The managers will not want to bring in external experts because they will not be in control. It is one thing to employ management consultants, because they talk the same language.

The techies will not want to bring in external consultants because they will lose control. If they feel in the slightest bit insecure (and who doesn't?) they will feel threatened.

So what can we expect...


I can safely predict that 2009 will see more data loss. Managers will propose management and procedural solutions. Techies will propose technical solutions. No-one will look at the problem.

Full article and set of recommendations on my consultancy blog.

No comments:

Post a Comment