In the bunkers that control America's nuclear weapons, two officers must simultaneously turn control keys in order to launch an attack.
I heard of a similar procedure the other day, but from a much different source: Decru Inc., whose storage encryption appliances can be configured so that two systems administrators, each validated by a smart card, must agree before either of them can change a user's access rights to the data.
The moral of the story: There are times when the stakes are so high and the pressure is so great that you can't just trust that your employees will do the right thing. Hopefully, the average workplace isn't as tense as a bunker during a war drill. But there are plenty of cube-dwellers who are a lot less loyal to their companies than they were during flusher times.
The hunkered-down economy means there's less money for information security and less motivation on the part of users to follow security policies. At the same time, senior management is paying more attention than ever to security issues. The best way security managers can help their employers and themselves, is to develop their "soft" skills. Not "soft" as in warm and cuddly, but "soft" in that they are harder to measure than pure technical competency and have more to do with people and business issues than with technology. A few examples of how soft skills can help:
Know the business. Security threats may be bigger than ever (read: cyberterrorism), but few companies can afford to spend more on security tools or security staff. Effective security managers need to understand the competitive, legal and regulatory environments in which their companies operate so they know when to recommend full-bore, military-grade safeguards and when to get by with simple passwords and encryption. Matching the security precautions to the business risks also reduces the number of times you have to force overworked and disgruntled users to follow cumbersome security procedures.
Know how to listen and convince. People afraid of losing their jobs will scramble to get their "real" work done to escape the ax. But they'll resent and try to skirt anything that gets in the way, such as having to go through multiple log-ins or fumble for a smart card. Mid-level managers who are scrambling to keep their own jobs have little clout or time to spend enforcing such security policies, especially if they don't understand those policies themselves. An effective security manager must listen to how overworked and under loved his peers are, yet still convince them that following proper security policies is the right thing to do -- and is an important part of them keeping their jobs.
Know how to communicate. Security is going through the same evolution that other IT functions, such as transaction processing and data mining, have already gone through. Instead of being a backroom function left to the techies, security is increasingly a front-and-center concern for top business managers. Much of this attention is driven by new regulations guarding the privacy of customer data, as well as increasing management demands to know exactly what it is getting for its security spending. One example: Alan Paller, Director of Research for the SANS Institute, reports a surge in the number of IT auditors who are taking advanced security training. Security has always been on the auditing checklist, of course, but this is a sign that senior management wants to be sure it's protected against the latest e-commerce threats. Good security managers can explain to managers how they're protecting corporate systems, provide evidence of what they've accomplished and prove their security efforts are cost-effective.
Keep learning. Even in the midst of the worst downturn of the computer age, the demand for security professionals keeps growing. David Foote, president and chief research officer of Foote Partners, a New Canaan, Conn. consultancy and IT workforce research firm, reports that security certification in general is delivering higher levels of bonus pay than most other technical certifications. The skills that are in most demand, he says, include not only experience in regulatory and cyberterrorism issues and enterprise project management, but also being "adept at navigating corporate politics" as well as a having a "questioning attitude, diplomacy, patience, attention to detail, tenacious abstract problem solving," not to mention perseverance and a strong will.
Whew. Developing this combination of skills is a tall order, but the more successful you are, the more marketable you'll be. That will come in handy if your current employer turns lean and mean.
About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at email@example.com