An Open Letter to WSJ Online

My thanks go out to  my fellow CSO bloggers at "Security Blanket" for pointing out this article in their blog entitled: WSJ: How to skirt corporate IT policy. After reading the WSJ article, I had to chime in with my own piece.

What is the Wall Street Journal Online doing? My opinion: their article on ten ways to get around cybersecurity is shocking. Here's my letter to the author of the article and their online editor:

Hello Vauhini,

My name is Dan Lohrmann, and I am the State of Michigan's Chief Information Security Officer. I am also the Director of Enterprise Security for Michigan State government, overseeing IT risk management for our 55,000 state employees and critical government services. I am also the President of Michigan InfraGard.

Please reference your article entitled: "Ten Things Your IT Department Won't Tell You," which was published on July 30, 2007, I'm writing this e-mail to express my surprise that such an article would be written by the Wall Street Journal Online. In my opinion, these tricks represent the kind of writing I would expect to see in a hacker newsletter. While the online interview with Mark Lobel of PricewaterhouseCoopers and the podcast with John Pironti were well done, I believe that your article with the "ten problems" listed is frankly irresponsible.

My major concern in your disregard for cyber ethics or moral judgment. Do you want WSJ to be a force for good or evil in the world? I believe this article has the net effect of encouraging behaviors which could get employees fired, cause a security breach, or result in lost reputations or dollars. This article also provides details that could, if followed, compromise the integrity of the individual, a corporation, or a government organization. You list the types of unauthorized activities that we fight in security organizations around the country. IT professionals already struggle to combat cultural bias against safe computing and good security practices. Like the Federal Trade Commission (FTC), we try to teach our staff to stop, think, and click. This article legitimizes banned practices in the "think" phase.

There is no sense of right or wrong in this article, only a statement of risk and how to "stay safe." Like buying a radar detector to speed on highways, this piece suggests the opposite of open and transparent surfing while at work or using corporate computers or sensitive information. Didn't our country just go through a whole series of scandals because too many people disregarded laws, rules and regulations? Do these "tricks" comply with SOX? Do you read the same headlines that I do each week regarding the costs associated with security breaches and identity theft? Are you suggesting that "the end justifies the means?"

Remember that many people who read your articles have signed documents stating that they will abide by company policies and procedures regarding the acceptable use with company computers. The best way to truly stay safe in each case is to comply with corporate policies. Don't endanger your integrity. Violators are disciplined up to and including dismissal. I have seen these types of suggestions lead to numerous personal disasters. Is it really worth it?

Finally, I dislike the premise of your article: "To find the top 10 secrets our IT departments don't want us to know. How to surf to blocked sites without leaving any traces ..." Sadly, there are many ways to go around security. Would you publish an article entitled "Ten Ways to Get Around Federal Regulations?" or "Ten Ways to Trick the Auditors?"

True, there are many ways to lie, cheat, and steal. That doesn't make it right. My main message in response to this article is simple: your integrity is at risk. Why put your family and career in jeopardy? Why risk the company?



Copyright © 2007 IDG Communications, Inc.

The 10 most powerful cybersecurity companies