I was looking at Facebook the other day (yes, I know – a security guy that uses Facebook – just wait until you have grandkids and a scary message appeared at the top of the page. It was the 39 year anniversary of my employment at Columbia University.
I have been working in IT for 39 plus years (including the time as a student employee). It occurred to me that while I have only been doing security for 18 years, all of my work in IT has revolved around one thing – Data.
In the 1992 election, Clinton used the phrase “It’s the economy, stupid” to focus the campaign workers on the importance of this message. I would like to use “It’s the Data, stupid” to focus the attention of security on what is really important.
As I listen to various presentations (many by vendors) on “security shiny things,” it is amazing to me how few products are out there that actually protect data. In my humble opinion, protecting the data should be job one, and the best way I know to protect data is to stop collecting data you do not ABSOLUTELY need.
I just got off the phone with someone who was telling me about a project that he was trying to squash. It involves collecting Personally Identifiable Information (PII) all in one place — including passwords and security question answers (everything short of SSN and bank account numbers) for employees. This way, in case someone leaves, they would be able to know where everything was. The reasoning is that because of employee turnover, it is hard to keep track of everything. They want this to be in a shared file, so everyone that needs the information could get it.
I don’t have to say how many things are wrong with this, but if you look around, you will find lots of these shadow systems – where a system could be as small as a sheet of paper (or spreadsheet) kept by the administrator. Unfortunately, most of these are not encrypted or protected in any way, and unless you start looking for them, they will only be found by a misguided web click or a “I didn’t know that file sharing programs share ALL of my files.”
I often say that security is 10 percent technology and 90 percent politics. Working with people is the most challenging and, I think, the most interesting part of the job. One of the most useful security books I have read is How to Win Friends and Influence People by Dale Carnegie. Remember: people are just trying to do their jobs, and unless you find ways to enable them, they will find ways to get around your best security toys.
It’s the Data, stupid.