IP stands for Internet Protocol… what’s the big deal in protecting it?
If you are an executive in your organization, here’s an exercise that might open your eyes to what the real problems are with security in your organization. Randomly stop and ask people in the hall or in meetings what information they handle in their jobs that could be valuable to an outsider… You know, something worth stealing.
Chances are, you will find a lot of people who would say things like “I don’t know”, “nothing”, or “that big, expensive software program we bought last year”. Maybe you were expecting them to say things like “customer lists”, “power supply designs”, “process descriptions”, “corporate strategies”, “financial plans”, “hiring plans”. How about you get back to me and let me know (anonymously, if you like) what percentage identified the real Intellectual Property (IP) that your organization’s business systems depend on to operate from day to day.
Quite often I come across people who are frustrated and even despondent about how the “security wonks” are making it so hard to do their job that they believe the organization would be much better off without them. In some cases that may actually be true, if they don’t strike the right balance of risk reducation against acceptance of risk that isn’t worth worrying about. But most employees don’t make the connection between sensitive information and their daily routines. The usual rationalization is, “Why in the world would anyone consider stealing the boring stuff I work on every day? The Security guys are just plain paranoid.”
We need to start making the connection between individual jobs and their contributed value to the organization. Given that most organizations hold most of their market capitalization (in the private sector) or public trust (in the public sector) in “Intellectual Capital” - this is becoming critically important in keeping culture aligned with the business charter of the enterprise.
So, start asking your staff questions that can help you see if they understand the importance of the information they work with. If they can understand the real value of your information, they might stop fighting with the Security Wonks about what IP is really important.
pa5kl on 25 Jun 2007 at 5:49 am #
Good point. Reversing the question and asking business users what of the information that they handle is worth protecting is an interesting excersize. Not just for the security group to identify priorities, but primarily as an awareness tool to help those users acknowledge that the information that they handle is of actual value to the organization that they work for.
Security Views » Crop circles appear in the photocopier room… does your Incident Response Team ever hear about it? on 25 Jun 2007 at 6:21 am #
[…] I just wanted to follow up for a moment on my last post about what your staff thinks is important information to the operation of your business. It is not uncommon to find relatively sensitive information lying on the pile of printouts that didn’t get picked up. […]