I was recently interviewed as a follow-up to an IT security poll being conducted by DarkReading.com. This week for the sake of discusion, I'm 'reimaging' (the verbiage gets a little less clear when there's an e-mail interview in response to an internet-based poll, because you can't really reprint what was never printed in the traditional sense - can 'reimage' be coined here?) the interview in the traditional question and answer format.

One reason for doing this is to expand on the quote from the resulting article, because there was a component of the idea that was not included in the article - the thought of a professional board of some kind to regulate/censure IT professionals. The link to the article is http://www.darkreading.com/document.asp?doc_id=105282 (DarkReading and LightReading are siblings worthy of reading; as with everything research-oriented, though, read for ideas but do a fair amount of research before taking stances). My bottom line is that we are serious professionals working the tools that shape the future of our economy, and if we are to be taken seriously, then we need to require more of ourselves.


Q: In our poll, we found that quite a number of IT people use their security privileges to "peek" at data that other employees would not be able to view. Why do you think this happens--is it just natural curiosity, or is there a broader attitude that IT people should have the right to access any data they like?

A: I believe there are two reasons why someone would do this. The first is the natural curiosity that leads to casual social engineering, phreaking, hacking and other infractions against privacy – those times when ‘can’ overwhelms ‘should’. The second reason is that there is an intellectual progression that takes place when someone enters the security arena that causes a rationalization to take place – “They wouldn’t give me access to do this if it wasn’t somehow okay, and as long as I don’t hurt anything it’s actually a good way for me to use and refine my skills at working with this so that I can help users and assist the company through a depth of knowledge.” In neither case do I believe people initially intend to do harm, but in both cases harm begins with the person who compromises their position and ends with true violations of corporate data policies and possible theft, etc. The term ‘slippery slope’ covers a wide variety of use/abuse of technology by its practitioners, and without a check and balance either externally-delivered (supervision of security activities) or internally-delivered (harder to come by, but ethics do still exist), the situation can quickly escalate.


Q:Where did you learn your personal ethics about IT security? Do you get this sort of training in school, from management, or through certification courses? Do you think there is a need for a universal "code of conduct" among IT and security people?

A: There was once a book written about the fact that the sum total of the really important things you need to get along in life are taught in kindergarten (“All I Ever Needed to Know I Learned in Kindergarten” – Robert Fulghum, if memory serves [I later checked this, and it is correct, except that the title of the book is "All I Really Need to Know I Learned in Kindergarten" - CT]), and it is mostly a true concept. I come from a deeply-religious background that had a strong sense of ethics at its core. For example, if you found an item in your grocery cart that you didn’t get charged for, then you waited in line at the customer service desk until your turn came, and you paid for it, regardless of the hassle. If the door was locked, that meant that you should stay out. It’s an affront to the naturally curious side of us, but we need to remember that’s the side of us that occasionally wonders whether or not it would be a good idea to bungee jump 100 feet using a 105-foot cord.

The fundamental elements for ethics exist almost universally, as long as they are subscribed to and followed. The real problem comes in when, instead of ethics, children/adults are instructed in the art of the situational ethic – that the ends justify the means. There’s certainly a lot of buzz now about this very issue, but a lot of the people buzzing are doing so to relieve the tension they felt when they realized it could have been them that got caught with their hand in the cookie jar. We need a licensing or other certification program that contains a code of ethics. I find it interesting that we require a person to pass the bar to practice law and pass the boards to practice medicine, and that we hold them accountable against their ability to practice their discipline, yet we don’t have anything analogous to that in the security field. If a lawyer malpractices, we lose some money, generally, and when a doctor malpractices, the damage, though serious, is generally limited to a small group. Then we freely hand out the security keys to those whose malpractice can affect thousands of people, and might even destroy the company. There are IT certifications and degrees of education, but those are traditionally held safe no matter what.

Has a certification or an academic degree ever been withdrawn due to a person’s actions in the field? Though it has infrequently happened due to plagiarism perpetrated while a person was studying, I don’t believe it happens as the result of how they ply their trade, and we need to stop and take a look at that. If someone who was mostly honest but was being tempted to abuse their power considered that the struggles they went through in graduate school might be all for naught if they cross that line, they may find the ability to withstand and do the right thing. For someone so totally dishonest as to discount that eventuality, we’re much better off with them being stripped of the ability to do it again in the future.


Q: Despite the emergence of state laws that require companies to report security breaches, many respondents to our survey said they still would not report breaches publicly. Do you think current laws have enough teeth to force companies to report their vulnerabilities? Have these laws had any impact on your policies for reporting breaches?

A: I grew up with the teaching that locks are for honest people, as are laws. The basic ethics crisis in our industry dictates that the laws are going to be ineffective as currently written and enforced. In order for a law’s teeth to sink in, the breach must first be identified, then “known about,” then investigated, then attributed. By that time there are going to be precious few people who haven’t found a way out of the situation, either by something as sneaky as back-dating documents to something as seemingly innocent as pointing out that their latest statement of security that was mailed out (consisting of 35 pages of a 5-size font) detailed the potentials that existed for a leak, and that the breach was something that they’d given their best due diligence to try to stop. Layer after layer, the root cause of being more concerned about corporate wealth than data health will emerge from the fog, at which time it’s too late for the victims. The guilty execs will spend $300,000 or so of the corporation’s money to wrangle a fine and time served, then will go forward with their stocks still in hand, retiring underneath the comforting shadow of their golden parachute.

As for the effects on our IT area, each breach that is revealed gives further credence to the intensity with which we pursue data security. We have found that data security is assisted by firm policies and procedures. They take some time to work through, as in the approval for someone to be able to view certain data, but that time allows the responsibilities and expectations to be clearly communicated, and for those in positions of accountability to have fair knowledge of what is going on. I’d suggest that a safer approach than what seems to be the common, “Just give it to them – we have things to do,” approach would be the “Ice On Bridge” sign. Though the speed limit is 55, there are still times when you slow down to go over the bridge, because it’s not safe to hit it at full speed. You might make it just fine, but if you crash, everyone will know it was due to failure to heed the signs and conditions that were guiding your trip.


Q: Most of our respondents said that their companies take a fairly lax approach to e-mail and Internet access, allowing employees to use company systems for some personal reasons, as long as they don't abuse the privilege. However, there has been a recent increase in security violations that occur through social networking sites, phishing e-mails, and other Web usage. In view of these developments, do you expect your company to "crack down" on the use of Internet and e-mail access for non-business reasons? Why or why not?

A: We are in a unique situation. As a public university, we have to be very careful when it comes to academic rights and freedoms, the freedom of expression, etc. As an example, if we thoroughly blocked MySpace, we could possibly endanger relevant sociological research; if we really tightened e-mail down it would most likely not allow valid communication through. It is difficult to balance the scales between rights/freedoms and responsible system usage.

We are also an organization that works to actually define what good work is. Some of the findings that have come through research into the new work world shed light on how difficult it is to thoroughly connect employees to their jobs (Blackberries, 24/7/365 arrangements, etc.) and expect there to still be a clear line of demarcation between their business and personal lives. It is difficult to define where the line between social and business interaction is, and there are sometimes informal networks that produce formidable results (e.g.: “I have a friend who just happens to know AJAX…”), so we as an organization have to be especially careful how and where we apply control. If someone commits a crime, then we fully-cooperate with the authorities, but if they haven’t committed a crime against anything other than good taste, the waters are a great deal murkier. A for-profit company or private institution would most likely not have to be as tolerant of variations in user habits, so this is an issue that begins and ends with the latitude we can offer. Either way, addressing the problem has a lot to do with educating the users, a place where I believe most companies fall short.


Q: Nearly three-quarters of survey respondents said that the biggest threat to the security of their organizations comes from *inside* the company: dishonest employees, disgruntled employees, top-level executives or unethical IT staffers. Why do you think the "insider" threat is greater than the external threat from hackers and organized crime? What is your organization doing to protect itself from this insider threat?

A: The reason the insider is so much more a threat is that they’re in the front door already. Just the fact that they have a user account inside your firewall means that they are a larger threat. They have overcome the first boundary to a hacker – the perimeter. In addition, status seems to be attached in the industry to how much access you have, so the accumulation of access seems to have replaced the corner office in the hierarchy of the corporate world. The likelihood that those accumulating the access have relevant needs for all of the abilities they have is slim, but they have it because they said they needed it, and they are in charge. So, when a person feels their power base threatened, they are more likely to do something significant to demonstrate that they are in charge.

We are fortunate in this aspect, because anyone requesting access to information must be approved through at least two different levels of the organization, and access is not granted on the basis of status, but on the basis of need. In addition, no one person holds “the keys”. In my area of responsibility, I can grant some access, but I don’t have even have rudimentary access to the financial system, and the granters of access to the financial system have no way to grant access to other parts of the system. On top of that, we don’t operate in a vacuum, and have fostered a relationship between those doing primary functions and their backups so that there is communication when a change is made, and all changes are made using a standardized system in a batch manner, so that both can see what has happened, when and especially why. When you give one person the ability to do all security functions, you invite trouble.


Q: What do you see as the biggest ethical dilemma that IT and security professionals face today?
A: I think this topic is it. Our systems are so complex, and there are so many variables that errors and omissions are relatively easy to cover up. As kids we learned on the playground that if you don’t call your own fouls and ‘fess up’ that the other kids will shortly not invite you to play. As we grow and enter to work world we forget that, and so we make mistakes and, instead of calling our own fouls and admitting to them with a plan for correcting the problem, we blur everything to try to escape the blame. Show me an IT worker who never makes a mistake, and I’ll show you someone who’s either so deeply ineffective as to be immaterial to any of the work, or so untrustworthy that they’ll hide anything at any time. We all make mistakes, and as we teach our children, it’s better to admit what you’ve done before your parents find out independently. Is my approach to this matter simplistic? You bet. It’s as simple as blending the basic foundations for human relationships – trust and respect – with the basic foundations of sound business practices – accountability and ethics – to create the operating theater for the IT practitioner.