• United States



For Us or Against Us (Part 2)

Dec 14, 20063 mins
CareersIdentity Management SolutionsIT Leadership

One colleague from a major consulting company told me that the “inappropriate surfing” problem was so bad in their company that they just stopped all web filtering, with the exception of spyware, etc. Their new approach: leave it up to the individual employees to ensure that they just “took care of business and didn’t end up in any of the wrong places.” The reason: they wanted to remove any motive for staff to attempt to go around filters and try to outsmart company cyber police. Of course, they still had the policy saying it wasn’t allowed.

“We’re not going to watch them anymore. We now treat them like big boys and girls, and tell them to just stay out of trouble. It was just taking up way too much time and resources.” 

What my colleague described was another way of saying that the only “real sin” has now become getting caught. It’s kind of like the common view of speeding on highways, you can go over the speed limit, just don’t get caught. Buy radar detectors, do whatever you have to do, but don’t get caught – or you’ll pay.

My response: that’s a bit like confronting an 18-year old who has several speeding tickets by giving him a new bright red Corvette. You’re not likely to stop the problem by just trusting them more. Good monitoring tools (that can also filter and manage) help keep the staff honest and out of trouble. In cold war terminology – we need to trust and verify. 

So what was the main lesson learned from my “unofficial” research? Regardless of which approach companies took regarding behavioral oversight, they almost all recognized the same problem. We’ve seen the enemy, and they’re sometimes one of us. 

You may be thinking – Hold on a minute. What happened to the assumption that our internal users didn’t know any better? We thought that they were – well, less informed about these “cybersecurity things.” They bring in worms and stuff because our awareness programs are lacking, right? Were all of those speeches on cultural change and various aspects of security and identity theft just a waste of time? Is the audience already smarter than the presenters?

 Personally, I’m not there, yet. I believe cyber education is still relevant for the majority of the people we deal with. I’m confident that social engineering is still regularly tricking people. I don’t think most people know how to stop basic cyber attacks at home, much less bypass web filters at work. We still need to educate … Yada, Yada, Yada …

Still, we’re discussing another small (but growing) section of the crowd. They are: “the rest of the story.” They obviously know what they’re doing. They take up quite a bit of our time which should be spent elsewhere. These people do get it, and they know how to cover their tracks. They’re living on the “wild side,” on purpose, but their actions often put the rest of enterprise at risk of trojans, botnets, and worse. This conduct increases our enterprise security risk in numerous ways.

Next, I’ll tell you what I think the core issue is.


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author