By
Ari Tammam, VP Channels
This dilemma faces many IT administrators and even CIOs. Depending on whom the culprit is, whether a senior executive or a low level employee, many enforcers of IT security are unwilling to confront non compliant employees head on. If keeping your job is the concern then my advice is to use HR (Human Resources) that is their job and if disciplinary measures are needed then provide them with the evidence of any breach or wrong doing and let them deal with it.
Behaving like an ostrich and burying your head in the sand will do no good for anyone and if the problem caused is serious and causes costly repercussions then your job may well be on the line for not identifying or reporting the problem. If research and analysts are to be believed then most of the internal threats are accidental and hence avoidable. All you need is to have a comprehensive monitoring system that quickly identifies any deviation from policy (security, corporate, usage etc..) and gives you full visibility to what is running or not running on the devices connected to your network. Even if you're a CIO who doesn't want to rock the boat, you still need to report to your CEO with status reports or at least inform the CEO of problems you perceive. Remember the authorities do not accept excuses like "We didn't even know there was a problem" or "We don't have the ability to monitor users' activities like this". You are responsible and required, especially if regulated, to invest in technology that provides this information so that you can identify problems and fix them when they arise.
Occasionally when I speak to some peers they tell me "You've got some great technology at Promisec with its clientless inspections but I'm too scared of what I might find. If I run one of your inspections it could open up a whole Pandora's box of problems". Well that's exactly what its for!
If you have no visibility to the problems on your network then how the hell are you ever going to keep it secure and worry free?
Taking the ostrich approach helps no one and eventually you will get caught with your pants down, excuse the expression. If most of the problems are avoidable, then simple periodic inspection of you network will give you that edge. How many articles have been written about users who knowingly, but not maliciously, breach corporate security policies just to get a task completed quicker or to reach sites they shouldn't? Even with strict policies in place users fail to adhere to them. If it’s the senior executives you are afraid of upsetting then identify and fix the problems created by lower level employees and with the executives just provide a report. At least that way you have done your job and left the onus on either your CEO or the HR department, but don't think that by avoiding the problem you are resolving it. All you are doing is leaving your network wide open or letting some other upstart administrator fear less of the consequences to identify a problem and expose your lack of diligence which also may cost you your job.
Download the above story here:
Download Bold or an ostrich
Comments