- Doug Jacobson, Julie A. Rursch
There’s an old adage: Attitude decides one’s altitude in life. This famous saying simply means that your attitude affects your level of success, and the same holds true for organizations when they are implementing and maintaining IT security.
Whether we want to believe it or not, every IT worker’s attitude about IT security affects how well our organization, business, or university is secured. And, those attitudes are contagious, shared by the IT department with the general rank-and-file of an organization’s workforce.
Even in today’s world, the general IT worker tends to view security as a barrier and a pain. It is implemented by someone else, and it makes their job harder to perform. Look around at almost any IT department and you will see the silos that still exist. We find individuals, or groups of individuals if the company is large enough, that have their own area of specialization. This includes the network group, the database group, the programming group, the middle-layer group, the VoIP group, the system analysts, the system administrators, and the lowly, computer support group; and then, in their own little world, those snooty security folks.
While everyone else in the IT department is trying to get users connected, with more access to data, easier retrieval of information, and basically, making employees lives easier—the security team is questioning every decision and locking everything down. All the while, some IT security practitioners are looking down their noses at other IT staff for not securing the product or service from the beginning.
When users call and say, “Yesterday, we could do ‘X,’ but today we can’t,” the IT staff grumbles into the phone, or over the instant messaging chat, that the security group locked “Y” down, so employees can no longer do “X.” End users don’t know whether the new policy is good or bad; they only know that their IT support person said it was someone else’s decision, and that it hinders their work flow. So, security is now a bad thing, and this message is trickling down from IT staff to end users.
Security shouldn’t be conducted in a silo. All IT staff -- and employees -- need to understand how important security is and how the decisions they make on a daily basis affect the organization’s security. Whether it involves secure technical implementations or talking to users about a new security practice, the decisions IT departments make have an effect on the company. Security is a serious issue and we all need to be vigilant. A positive attitude and proactive approach are just two ways to keep security at the forefront of everyone’s daily activities.
Most IT workers aren’t being malicious when it comes to the IT security folks and their policies. Some people on the IT staff lack IT security education; they make daily decisions without giving security that much thought. This treatment of security as a hindrance, or unimportant, often stems from the IT workers’ education. Think back to your own college education. Take, for example, your programming classes. When were you taught input validation or error checking? It was usually well into the semester after you had figured out how to take input from a keyboard and spit things back out to the screen. We spend so much time trying to get students to understand how the basics work, we forget to paint the big picture for them, and impress upon them how important things like input validation and buffer overflow are. We say, “They will learn it when they do a senior design project.” However, the time spent on IT security education, just as in the initial programming classes, never really comes. We have said before that we believe in security across the curriculum; and we believe that we as educators hold the keys to the future attitudes of upcoming IT workers.
Educating current IT staff and ensuring that they are security literate is the first step. Attitude not only affects altitude in personal matters, it also impacts an organization’s security on a very real level, on a daily basis.
About the authors:
Doug Jacobson is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education.
Julie A. Rursch is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry. Send comments on this column to firstname.lastname@example.org.