Back when I was a kid, the first line of defense after something bad happened usually sounded like “It wasn’t my fault!” Not that blaming someone else was going to magically mend that broken window or miraculously repair that scratched car; but it was a way to feel better and (hopefully) avoid the wrath of an angry parent. There was a cost associated with being found “guilty.” In my case, retribution was based on the seriousness of the infraction, and included having to give an apology, docked pocket money, or being sentenced to several hours of penal service such as cutting grass, washing the car, etc.
For most people, this avoidance mentality carries into adulthood. Regardless of age, nobody likes to be responsible for something bad happening. So perhaps we avoid situations that could involve failure so that we can’t be blamed. We don’t experiment with new things. We don’t offer up new ideas. However, sooner or later, most of us are going to have to expose ourselves to a responsibility that could result in failure. And in most cases, unfortunately, someone is ultimately going to be blamed, and there will be repercussions.
Almost every organization operates on a tight financial budget. In the current economic climate, teams are challenged to increase results while using fewer resources. Investment is often reserved for high-visibility projects that will boost the company’s financial standing. While mandated compliance is treated as an inevitable expense, security often takes a backseat to other projects and is subject to cost-cutting.
Security is an area that carries significant responsibility. Data is arguably one of the greatest assets that an organization has. Securing that asset should be an ongoing investment as failure can have massive impact on the bottom line. Mishandling data results in significant unplanned cost if that data is not available for its intended purpose; or worse, if it’s accessed by someone outside of the organization. It can also have serious negative consequences for the individuals charged with its safety.
I still meet corporate employees who are unwilling to conduct a no-charge Security Scan of their existing configuration, as it would mean they’d then have to acknowledge their corporate data might actually be at risk. They prefer a policy of “don’t ask; don’t tell!”
I also speak with people who already know that their data is not well-secured and explain that their management wouldn’t approve money to purchase a security solution. They don’t even make the recommendation in order to avoid the spotlight. I suspect that it’s partly out of fear that they’d be blamed for not having the right controls configured in the first place, or for requesting money.
Employers must proactively encourage employees to make recommendations that might improve the efficiency of processes and harden security. Well-engineered solutions reduce the burden on staff, enabling them to focus on more profitable tasks. Expect an increase in security functionality and event responsiveness—criteria that might not result in increased profits, but that prevent profits from being taken away.
Retribution should be reserved for those that don’t act, and not those with the courage to speak up. If an employee senses that their job security might be impacted by streamlining the processes they perform, or because they request resources to fix poor configuration, then the business is going to ultimately pay the price.
Conduct a scan and determine what risks may exist. Mitigating those risks will typically require funding, but this must be a management decision not an I.T. administrator’s decision. Security is a joint responsibility and is too important for someone to keep quiet about for fear of being blamed.
If you’d like more information on HelpSystems' security and compliance solutions, contact me at firstname.lastname@example.org.