• United States




Time for an individual security reboot

Sep 30, 20155 mins
Data and Information SecuritySecurity

We are part of the problem, and must become part of the solution.

I am a significant pessimist. To me, Murphy was indeed an optimist. As such, I was frankly a bit surprised at myself when I came to the realization today that our cybersecurity situation is worse than I imagined. What pushed me over the edge? Consider:

Excellus healthcare hack – 10 million records exposed, in a hack that happened in late 2013, and was just discovered.

Ashley Madison – The most frequently used password on the hacked site was “123456.”

Microsoft – Windows 10 finding more and better ways to capture our private data.

Our security infrastructure, which I would have likened to swiss cheese, appears to have far more holes than cheese.

It is likely that each of us as consumers, thinks of ourselves as one of the victims. In pondering this however, I think that, regardless of our job descriptions at work, we as consumers share some measure of responsibility for the mess we are in. For example:

  • Many of us work somewhere, and not withstanding our functions in the workplace, our failure to personally follow policies and guidelines can impact our employer.
  • We all use some web-based systems, but we typically don’t do proper due diligence on the companies who provide these applications.
  • We often try to get away with using as weak a password as any system will allow us to use, and reuse the same or a similar password on all of our systems.

As my friend Chris Romeo so aptly tweeted, “security culture eats strategy for breakfast and lunch.”

Folks, is seems that we have found the enemy, and it is us. To achieve tight information security, we must each individually take responsibility for our slice of the world. This is especially true for those of us in IT and information security. We are good at setting policies, but how are we at following them?  The results of a study published recently by eWeek address that question. According to the research, 40% of security administrators do not choose to follow the mobile policies they establish for their companies.

Other times, we ignore exposures we know are serious, because we are afraid to make our co-workers mad. Case in point: I was at a customer site this week doing a wireless risk assessment. After an initial site survey, I always ask a series of exploratory questions, the first of which seeks to assess the complexity of their wireless password. This company has an eCommerce presence, PCI regulated data, and a IT admin with formal training. And yet, when I asked about the wireless password, the sheepish look I got told me all I needed to know. Their password was weak, and they knew it was weak. Their security administrator did not want to inconvenience anyone by making them change their passwords.

I don’t mean to single this company out, because I have found this to be the case more often than not. It seems that we, not the Chinese, Russians, or some evil hacker should be our primary concern. This is particularly true of those of us who call ourselves IT or security professionals. We must act as leaders every day, or nobody will follow. We must fearlessly implement the proper policies and procedures, even though they make us unpopular. We must reboot our individual security focus, so that collectively as a society we can achieve tight security.


Live it

Take a look at everything you do as a security consumer. Are all of your practices consistent with what you tell your constituents are work?  If not, fix them (I am preaching this as much to myself as to everyone else).

Model It

Anyone who knows of our positions as information security professionals will watch us. They assume we know what to do, and they will imitate us. So, if we have no password set on our smart phones, or walk away and leave our PCs unlocked, they will think it is ok to do themselves. If you are willing to set and enforce a policy, you must be willing to live with it yourself.


With all of the press focus on information security at present, those of us in the industry have a bit of a bully pulpit. Use the opportunity to help people understand what proper practices are. Speak to community and school groups, write a blog, tweet — get your message out to anyone who will listen.


Cybersecurity is a moving target. What works today may be useless tomorrow. We can’t be effective as information security professionals without ongoing education. I spend many hours every week reading and studying, just to try and stay current.

Stand firm

Set proper and secure policies and procedures for your organization, even if they are unpopular. None of us in the information security profession are here for the accolades. If we do our jobs and keep our organizations secure, it is unlikely that many will notice. If we don’t, and the organization gets hacked, we will be the focus of attention we don’t want. If you chose information security as a profession for the recognition, I would respectfully suggest a job change.

Bottom Line — good information security begins with those of us who are the professionals, and the key to our success is our own individual security practices. If you are not willing to hold your approach up to scrutiny, consider a reboot, before you become an example of the wrong sort.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author