I was once involved in a job which required us to check a network to detect undesirable images. I discussed it with the CIO and explained that first we would tell everyone of our intentions and then we would do the actual check, my logic being that the advance warning would see an immediate deletion of the embarrassing items.
Lo and behold that was exactly what happened and the company recovered about 20 per cent of its total disk capacity without firing a shot. However, I was amazed to find that when we did the subsequent check the only real offender was the CIO himself.
At his dismissal hearing I asked why he hadn’t taken advantage of the warning. His response was that it never occurred to him that we would check his files. A strange, but not a totally unexpected, response from a senior manager.
I once had to deal with a chief executive who shared his access credentials with his secretary despite this being a dismissible offence. His response was similar to the CIO’s; the policy did not apply to him.
We can control technology but we can only manage people – and those are two very different things. We “manage” people by implementing policies, standards and procedures, but until we can implant a controlling chip (which is what most governments would probably like) we are still unable to “control” them. It’s not the computer that steals the money, but the person. It’s not the computer that causes the data leak, but the person. That abnormal programme termination is caused by the programmer, not the programme. The covering of tracks by deleting a log file is person inspired and not the idea of the computer.
So, people management is really important. That’s why I have argued – quite unsuccessfully for some years – that security is a human resource challenge. After all, it is HR that conducts the initial background check. It is HR that sets the employment policies and staff-review processes and it is HR that drives the termination process.
All in all, that’s a pretty solid case for HR driving security. Indeed, perhaps the chief security officer (CSO) should be part of HR. I am aware that neither HR, nor IT, are happy with this idea – but there is no doubt in the mind that information security is a corporate and not an IT responsibility.
HR managers: it’s time to step up.John Mitchell is a member of the lecture panel for Faculty-One where he teaches fraud detection & investigation. He is also Managing Director of LHS Business Control, a corporate governance consultancy which he founded in 1988.
Share this story