Time for an individual security reboot

We are part of the problem, and must become part of the solution.

I am a significant pessimist. To me, Murphy was indeed an optimist. As such, I was frankly a bit surprised at myself when I came to the realization today that our cybersecurity situation is worse than I imagined. What pushed me over the edge? Consider:

Excellus healthcare hack – 10 million records exposed, in a hack that happened in late 2013, and was just discovered.

Ashley Madison – The most frequently used password on the hacked site was "123456."

Microsoft – Windows 10 finding more and better ways to capture our private data.

Our security infrastructure, which I would have likened to swiss cheese, appears to have far more holes than cheese.

It is likely that each of us as consumers, thinks of ourselves as one of the victims. In pondering this however, I think that, regardless of our job descriptions at work, we as consumers share some measure of responsibility for the mess we are in. For example:

  • Many of us work somewhere, and not withstanding our functions in the workplace, our failure to personally follow policies and guidelines can impact our employer.
  • We all use some web-based systems, but we typically don't do proper due diligence on the companies who provide these applications.
  • We often try to get away with using as weak a password as any system will allow us to use, and reuse the same or a similar password on all of our systems.

As my friend Chris Romeo so aptly tweeted, “security culture eats strategy for breakfast and lunch.”

Folks, is seems that we have found the enemy, and it is us. To achieve tight information security, we must each individually take responsibility for our slice of the world. This is especially true for those of us in IT and information security. We are good at setting policies, but how are we at following them?  The results of a study published recently by eWeek address that question. According to the research, 40% of security administrators do not choose to follow the mobile policies they establish for their companies.

Other times, we ignore exposures we know are serious, because we are afraid to make our co-workers mad. Case in point: I was at a customer site this week doing a wireless risk assessment. After an initial site survey, I always ask a series of exploratory questions, the first of which seeks to assess the complexity of their wireless password. This company has an eCommerce presence, PCI regulated data, and a IT admin with formal training. And yet, when I asked about the wireless password, the sheepish look I got told me all I needed to know. Their password was weak, and they knew it was weak. Their security administrator did not want to inconvenience anyone by making them change their passwords.

I don’t mean to single this company out, because I have found this to be the case more often than not. It seems that we, not the Chinese, Russians, or some evil hacker should be our primary concern. This is particularly true of those of us who call ourselves IT or security professionals. We must act as leaders every day, or nobody will follow. We must fearlessly implement the proper policies and procedures, even though they make us unpopular. We must reboot our individual security focus, so that collectively as a society we can achieve tight security.


Live it

Take a look at everything you do as a security consumer. Are all of your practices consistent with what you tell your constituents are work?  If not, fix them (I am preaching this as much to myself as to everyone else).

Model It

Anyone who knows of our positions as information security professionals will watch us. They assume we know what to do, and they will imitate us. So, if we have no password set on our smart phones, or walk away and leave our PCs unlocked, they will think it is ok to do themselves. If you are willing to set and enforce a policy, you must be willing to live with it yourself.


With all of the press focus on information security at present, those of us in the industry have a bit of a bully pulpit. Use the opportunity to help people understand what proper practices are. Speak to community and school groups, write a blog, tweet -- get your message out to anyone who will listen.


Cybersecurity is a moving target. What works today may be useless tomorrow. We can't be effective as information security professionals without ongoing education. I spend many hours every week reading and studying, just to try and stay current.

learn 64058 1280 Gerd Altmann

Study and continue to study

Stand firm

Set proper and secure policies and procedures for your organization, even if they are unpopular. None of us in the information security profession are here for the accolades. If we do our jobs and keep our organizations secure, it is unlikely that many will notice. If we don't, and the organization gets hacked, we will be the focus of attention we don't want. If you chose information security as a profession for the recognition, I would respectfully suggest a job change.

Bottom Line -- good information security begins with those of us who are the professionals, and the key to our success is our own individual security practices. If you are not willing to hold your approach up to scrutiny, consider a reboot, before you become an example of the wrong sort.

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!