November Editorial

November Editorial

"Ethics Committee Staffer Leaks Secrets on File-Sharing Network" read the headlines in the Washington Post and Wired Magazine. The contents of the article had me shaking my head, remembering the countless times I have been blamed for adding to red tape, preventing home productivity, and even once being called a "Security Nazi" across a crowded boardroom table. The words used in describing the leak from a United States Congressional Committee are dumbfounding. Phrases such as "accidentally leaking... over a peer-to-peer network... on a home computer..." litter the articles, sheltering the real culprit in today's technology-savvy workplace - the battle between staff convenience and legitimate consumer data protection.

I struggled (and failed) to find the exact phrase and author of a quote my father once told me. It goes something like this "No one can tell us what to do, there should be a law against that". Today's staffers are not computer users of corporate networks, but see themselves as "plugged in" and any barrier to unfettered access is seen as a barrier to their rights not a safeguard to other peoples. Throughout their day they move seamlessly through the digital world, buying gas with a PIN number, while listing to an audiobook downloaded via secure account on their IPhone. The increased functionality of Windows, the convergence of voice, video and data to IP networking and the increased comfort-zone of staffers to explore and experiment have combined into a witch’s brew of mixed blessings.

The same folks who would without thought, install a nonsecure, peer-to-peer network within the confines of the United States Congress - are besieged daily by singers in "pointy slipper and green wool tights" about the looming dangers of credit hacking. There is a fundamental disconnect, no - actually I think its worse... There is a fundamental disrespect of security and computer use policies. This is evident in the mindset of households full of illegally downloaded music and movies - if they can do it, why shouldn't they? Adding to the bizarre "if it’s digital music, we're not really stealing" attitude is the emboldened sense of wink-nod acceptance by supervisors when spreadsheets and other work documents appear without all those "silly security hoops and rules".

Much of this nearly malfeasant behavior at the workplace primarily lies at the feet of the institutional leaders themselves. Over 25 years, I have dealt with the aftermath in hundreds of security breaches. With a few exceptions - the root causes were the security rules that were implemented interfered with the employee’s ability to actually do their jobs. American workers are ingenious - (it’s part of what makes us great), they WILL find a way to get something done in a leadership vacuum. Sad but true - security policies are normally reactive in nature. Though rarely the gathering of business requirements does the protection of sensitive data become a filter or even a discussion point.

Worse, Information Technology Departments often proclaim from ivory cubicles - rules, regulations, polices that "shut down streets without putting up detour signs". In some cases this disconnect is that the IT Department may not have the answer themselves, other times they may not have been informed. Having been in leadership positions of IT organizations throughout my career, I must confess to having been in the position of clamping down on workplace flexibility without having an alternative. In many cases however, what appears to be an IT issue is actually a larger workplace or HR issue. For example, suppose a valued employee is promised by their supervisor the ability to work from home during a family illness? Suppose that employee works for the United States Congress? Suppose that employee has teenage children that play peer-to-peer networking games or participate in illegal music and movie downloading.

Yup, just like that, your business is on the cover of the Washington Post.

P.S.
Software/hardware has been available for at least five years that would have made this incident preventable. Somewhere, it’s very quiet in the IT Department.