I just attended a session with Jay Heiser and Tom Scholtz at the Gartner Information Security Summitcalled “Don’t be a Dr. No: A Framework for Positive InformationSecurity Management”.  The premise of the title, and session, is thatinformation and secutiy management often develop a reputaton forrestricting and discouraging activities for risk considerations thattheir colleagues just don’t understand.  I admit that I have been a“Dr. No” from time to time in the past; I try to use the “no” cardsparingly, and only when I really mean it.

One of the important positive actions that the speakers stressed wasto use risk/data ownership as a communication tool – the premise beingthat when people assume ownership they tend to accept less risk.  As ahumourous anecdote, Tom Scholtz told a story about how a business unitdownloaded ownership a particular application to the IT department. The IT department thought there was too much risk associated with theapplication, so they drafted plans to elimnate it; naturally, when thebusiness unit got wind of this they accepted ownership and worked withIT to make positive changes.

This novel tale is just like saying “no”, but in a much moreconvoluted/devious way.  Of course, Heiser and Scholtz didn’t advocatethis as a viable strategy; yet, when the audience heard the story,everyone gave that sort of chuckle that says “that’s so riduculous, but…”

If you are at the end of your rope (and aren’t afraid of gettingfired) maybe this is an “ace in the hole” that you might like to try.

Dave Morgan, Director of Privacy Research at Camouflage Software Inc.
Guest blogger for ComputerWorld Canada at Gartner Information Security Summit 2009
Regular blogger for Cogitatio Privatim by Camouflage

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight