3:20 PM -- CEOs can afford to be generous and charitable. "We trust our employees," you hear them say. "We believe our employees will do the right thing."
If you're in IT security, however, you can't afford to be that magnanimous. A good security professional trusts no one: not the employees, not your business partners, not the guy across from you, and not the CEO.
Trust no one.
To support this little piece of advice, we offer the results of Dark Reading's latest survey, "Security Scruples." In it, we posed a range of philosophical and hypothetical questions designed to see how IT and security professionals would behave when faced with specific ethical dilemmas. The results were not exactly encouraging.
Now, don't get us wrong: Most of our 649 survey replies reflected great honesty and integrity. In our post-survey interviews, we heard lots of IT and security people speak of their commitment to ethics and morals. But we also heard some "different" viewpoints. Here's a sampling:
- Two percent said they would sell their company's customer list to a competitor for $50,000 and a job with the rival.
- Two percent said that if they found a way to capture data from other users or companies, they would keep it to themselves and try to exploit it for their own financial gain.
- Two percent said that if they found a colleague accessing unauthorized data such as payroll information, personnel files, or executive plans they would not only not report it, but they would ask the colleague to show them how to do it, too.
- Three percent said that computer information should be available to anyone with the skills and knowledge to access it.
- Eight-and-a-half percent said that if they knew where to find a list of employees named in an upcoming layoff, they would not only peek at the list, but they would share it with other employees.
We recognize that these numbers are very small. But let's remember that these are all people who are entrusted with the IT security of some business or organization. If there are security people out there with these attitudes, how many mainstream employees probably have the same disposition?
A lot, according to a study published last week by Prefix Security, a British security company. In fact, in a survey of 1,000 employees, Prefix found that a majority of respondents admitted to stealing corporate data, including confidential documents, customer databases, and sales leads. Some 37 percent of the males in the study said they believe such behavior is acceptable.
Clearly, in any population, there is a minority of individuals who will buck the morals and conventions of the group. We can argue for days over how they got that way: improper education, alienation from society, or inherent evil. But the fact is that they're there, and there's no easy way to root them out.
If you're building a security strategy, you have no choice but to take these individuals into account. No matter what your job whether it's selling widgets or managing IT security you're likely to find people who don't see the rules the same way you do.
Which is why every charitable, generous CEO is well advised to hire at least one security manager who trusts no one.
Tim Wilson, Site Editor, Dark Reading