With so many of the same security problems plaguing organizations year after year, it’s time to get tough, a health care security executive suggested Tuesday during a panel discussion at the Cornerstones of Trust 2009 conference in Foster City, Calif.
Connie Sadler, information security officer at Lucile Packard Children’s Hospital at Stanford, said some security challenges from 20 years ago continue today. Security managers started out as tough but became less so as systems became more distributed and employees did their own thing, she said.
“I think we’ve lost control,” Sadler said, suggesting a range of corrective steps, including whitelisting, better access controls, and punitive action such as fines.
“There’s no consequence for having a bad password,” she said. “Maybe there’s needs to be a consequence for not doing basic things…We need to introduce more discipline into our environment.”
But responding to a question from the audience, Sadler acknowledged that the tough approach needs to be balanced. “Don’t we need both the carrot and the stick?” asked security luminary Donn Parker.
“There does need to be a balance,” Sadler agreed. “People shy away from doing the right thing because they don’t have the knowledge… It comes back to us. We need to train people.”
The annual Cornerstones of Trust is co-hosted by ISSA’s Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard.