My name is Michael Seese, CISSP, CIPP. Those initials after my name mean that I earn a living by worrying about security and privacy, two topics which definitely are on folks’ minds—and regrettably, in the headlines—a lot these days. I used to be a programmer, working mainly in C. Then one day, standing in a local bookstore and surrounded on three sides by programming books, covering C++ and C-sharp and .NET and ASP, I had an epiphany: programming languages come and go. Guess wrong—that is, specialize in the flavor-of-the-last-month—and some college fresh-out will take my job, probably do it better, and for half the money. But the need to store data and protect data will remain and, in fact, grow. That realization led to my current career track.
I point this out because it’s relevant to why I’m writing this week. Those of us who have been involved with IT for not too more than a dozen years (OK, maybe 20 years) could talk about “back in the day.” The early computers—mainframes—had built-in security in that they were huge (I’ve never heard of a mainframe being stolen out of the trunk of someone’s car), they were not networked outside of the organization (or even IN the organization!), and only super-smart geeks could run them anyway.
Then the PC happened.
Then the LAN card happened.
Then Al Gore happened.
Then the Internet happened.
And then, e-commerce happened.
The Information Age was fully upon us, and suddenly, every worker was a knowledge worker and every consumer an e-shopper. For a few glorious moments it seemed that a whole new world of possibilities was opening up for humankind.
So back in the day, security could be an after-thought. Today, it has to be “baked in.” You wouldn’t buy a car that was designed and built without brakes or an engine firewall or air bags.
That is where you, dear project management professionals, come in. Your opinions of security probably run the gamut from “absolute necessity” to “mild inconvenience” to “@#[email protected] requirement that we need to figure out how to get around.” To be honest, sometimes I feel the same way. But what I need to do is convince you that it really needs to be the former, though at times I’m OK with you thinking “mild inconvenience.”
When conducting an information security awareness session—or when addressing you—I am talking to adults. So I cannot treat you like children. Rather than say, “It is what it is…DEAL WITH IT,” I need to explain why certain rules have to be followed. Training adults, I have long believed, is a lot like explaining life to a teenager. You could simply forbid your daughter from dating a “bad boy.” But unless you explain why (and unfortunately, even if you explain why), she will nod her head, say “OK, Daddy,” and then still sneak out her window at night to see her long-haired, tattooed rock-and-roll boyfriend. Adults can be the same way. You can tell them again and again that they can’t use their children’s names as passwords. But if you explain—or better, show them— why not, they will be less inclined to simply say, “Yeah, yeah,” and do it anyway.
So for this week, I would like to share some of these whys, so that you can understand why the infosec guys can be so darned stubborn.