I just attended a session with Jay Heiser and Tom Scholtz at the Gartner Information Security Summitcalled “Don’t be a Dr. No: A Framework for Positive InformationSecurity Management”. The premise of the title, and session, is thatinformation and secutiy management often develop a reputaton forrestricting and discouraging activities for risk considerations thattheir colleagues just don’t understand. I admit that I have been a“Dr. No” from time to time in the past; I try to use the “no” cardsparingly, and only when I really mean it.
One of the important positive actions that the speakers stressed wasto use risk/data ownership as a communication tool – the premise beingthat when people assume ownership they tend to accept less risk. As ahumourous anecdote, Tom Scholtz told a story about how a business unitdownloaded ownership a particular application to the IT department. The IT department thought there was too much risk associated with theapplication, so they drafted plans to elimnate it; naturally, when thebusiness unit got wind of this they accepted ownership and worked withIT to make positive changes.
This novel tale is just like saying “no”, but in a much moreconvoluted/devious way. Of course, Heiser and Scholtz didn’t advocatethis as a viable strategy; yet, when the audience heard the story,everyone gave that sort of chuckle that says “that’s so riduculous, but…”
If you are at the end of your rope (and aren’t afraid of gettingfired) maybe this is an “ace in the hole” that you might like to try.
Dave Morgan, Director of Privacy Research at Camouflage Software Inc.
Guest blogger for ComputerWorld Canada at Gartner Information Security Summit 2009
Regular blogger for Cogitatio Privatim by Camouflage