My name is Michael Seese, CISSP, CIPP. Those initials after my name mean that I earn a living by worrying about security and privacy, two topics which definitely are on folks’ minds—and regrettably, in the headlines—a lot these days. I used to be a programmer, working mainly in C. Then one day, standing in a local bookstore and surrounded on three sides by programming books, covering C++ and C-sharp and .NET and ASP, I had an epiphany: programming languages come and go. Guess wrong—that is, specialize in the flavor-of-the-last-month—and some college fresh-out will take my job, probably do it better, and for half the money. But the need to store data and protect data will remain and, in fact, grow. That realization led to my current career track.
I point this out because it’s relevant to why I’m writing this week. Those of us who have been involved with IT for not too more than a dozen years (OK, maybe 20 years) could talk about “back in the day.” The early computers—mainframes—had built-in security in that they were huge (I’ve never heard of a mainframe being stolen out of the trunk of someone’s car), they were not networked outside of the organization (or even IN the organization!), and only super-smart geeks could run them anyway.
Then the PC happened.
Then the LAN card happened.
Then Al Gore happened.
Then the Internet happened.
And then, e-commerce happened.
The Information Age was fully upon us, and suddenly, every worker was a knowledge worker and every consumer an e-shopper. For a few glorious moments it seemed that a whole new world of possibilities was opening up for humankind.
So back in the day, security could be an after-thought. Today, it has to be “baked in.” You wouldn’t buy a car that was designed and built without brakes or an engine firewall or air bags.
That is where you, dear project management professionals, come in. Your opinions of security probably run the gamut from “absolute necessity” to “mild inconvenience” to “@#$@ requirement that we need to figure out how to get around.” To be honest, sometimes I feel the same way. But what I need to do is convince you that it really needs to be the former, though at times I’m OK with you thinking “mild inconvenience.”
When conducting an information security awareness session—or when addressing you—I am talking to adults. So I cannot treat you like children. Rather than say, “It is what it is…DEAL WITH IT,” I need to explain why certain rules have to be followed. Training adults, I have long believed, is a lot like explaining life to a teenager. You could simply forbid your daughter from dating a “bad boy.” But unless you explain why (and unfortunately, even if you explain why), she will nod her head, say “OK, Daddy,” and then still sneak out her window at night to see her long-haired, tattooed rock-and-roll boyfriend. Adults can be the same way. You can tell them again and again that they can’t use their children’s names as passwords. But if you explain—or better, show them— why not, they will be less inclined to simply say, “Yeah, yeah,” and do it anyway.
So for this week, I would like to share some of these whys, so that you can understand why the infosec guys can be so darned stubborn.
I agree with Kimberly. I can already think of the following –
1) Quality – When information security is breached you’re looking at corrupted data, loss of data and inappropriate use of that data.. really you’re at the mercy of the perpetrator. Bad data is just that – *bad*. It will cause programs to hit all the corner cases that were not considered because security was not of primary interest. Information security needs to be a consideration right from requirements and design all the way to QA and deployment. In fact, QA and deployment folks need to be actively looking for security holes.
2) Customer loyalty – It’s all about earning customer loyalty and trust for the long term. As an example, I would take a less user-friendly website any day if my information was protected, over a more user-friendly one that was wide open. Getting something out there “on time” by sacrificing security may get you short-term gains but actually puts in the negative in the long term.
Eagerly awaiting more on this topic …
Leading a big, hairy, audacious project tends to be all-consuming, so unless you can convince a hellishly busy project leader why information security is absolutely a critical success factor, I don’t think they’ll pay you a lot of attention. In fact, anything that is not on the “Success Scorecard” tends to get ignored . . . little things like quality and customer satisfaction, for example, when teams are measured purely on factors like “on-time, on-budget, feature complete”. So we need to show project leaders and teams how their very success is directly tied in to information security, and that their primary goals may be in jeopardy as a result of not paying enough attention to information security. What are the measures of project success that are threatened by lack of adequate information security? I’m looking forward to your rants about this, Michael! – Scrappy Kimberly Wiefling, Author, Scrappy Project Management (soon to be translated into Japanese by Nikkei Business Press)
This is going to be a great week! Information security is one of those things that many people who don’t understand it say “ah geez, I guess we have to do this because it’s a regulation or policy.” Many people see it as unnecessary overhead, which of course it is not. It’s like good, applied risk management!
Josh Nankivel
pmStudent.com