Editorial: People will always be the weakest link

Paul Fisher, editor of SC Magazine

November 09, 2006

Print
Email
Reprint
Text: A | A | A

More Opinion

At the recent RSA conference Europe, the final keynote speaker was the former politician and governor of Hong Kong, Chris Patten. In a briefing with journalists, Patten appeared somewhat bemused to be at such a technical conference and admitted little understanding of the technology under discussion on the stands and the sessions. However he declared himself "no more out of his depth than most politicians" and bemoaned the lack of awareness of IT within Whitehall.

It's to RSA's credit that a figure like Patten was invited. His thoughtful and opinionated speech was a welcome cap to three days of intensive technical discussion on security-related topics. His grasp of the big issues, from Iran, North Korea, global warming and, in his pithy understatement, the "not wholly successful invasion of Iraq", crystallised what this business is ultimately about: maintaining and boosting business continuity in uncertain times.

As we adjust to the emergence of China and India, the challenge of global warming and regulatory creep, those working in information security will see their roles and responsibilities change. It's already happening.

The 2006 IDC/(ISC)2 Global Information Security Workforce Study has just been published, and we have some of the highlights and an exclusive interview (page 42). What stands out is that the focus has shifted to the people and processes in the security mix, which are now thought to be of higher import than technology. As the report says, many professionals have been saying this for years, but now the message seems to be hitting home.

A real-life incident brought home how easily organisations can be compromised by their people's lax approch to security. Forced to stand on the train, I happened to look down and caught a glance at the ThinkPad a fellow traveller was working on. Standing behind his seat, I had a pretty good view of the email he was responding to. Now, because I'm journalist and nosey, I couldn't help but read what he was working on. I was soon well equipped with detailed contingency plans for the London HQ of one of the world's biggest oil companies.

This isn't just a failure of information security; it's the entire business culture that needs changing. Fortunately for those involved, as the editor of SC, I'm not about to reveal the information I gleaned to anyone, but the incident bears out exactly what the IDC report was talking about.

Here was a man committing a cardinal sin, and one that owes little to technology. He was responding to sensitive company emails in a public environment, with no regard to who may be looking over his shoulder. He was also carrying sensitive information on his laptop. How secure that data is anyone's guess, but I'd be worried.

Mr ThinkPad is an accident waiting to happen. It's the copier syndrome - you can put in as much technology as you like, but you can't stop employees leaving confidential documents lying around in big piles next to the Xerox machine.

From the November 2006 Issue of SCMagazine UK