This week SearchCIO will run an advice piece from Forrester Research Inc. on building a "human firewall" against the relentless security threats faced today by companies, big and small. "For too long, creating security awareness has been an afterthought, something security executives did in their spare time after putting out the operational fires that sprang up around them with alarming regularity," security analyst Andrew Rose writes. It's an excellent piece, not just on the argument for enlisting workers to defend against the rising tide of security threats, but also for its advice on how to go about gaining their support. Put away the posters, colored markers and top 10 lists, Rose advises, and instead use straight talk, humor and storytelling to educate employees on how they can help protect the enterprise and their own workspace. If necessary, go get "a crash course in behavioral science" from the company's marketing team, so you can talk about security threats in ways that resonate with employees, he says. The tone of any security awareness campaign should fit the company culture.
To turn employees into firewalls who don't open suspicious emails, don't go to questionable sites, never use obvious passwords, and so on, seems like a sensible idea. It's their livelihood too that's undermined by security threats. The problem is some of these employees -- certainly the younger ones -- will have no idea what you are talking about. They live public lives as opposed to private lives, and much of their lives are experienced online -- unburdened by privacy concerns.
They live public lives as opposed to private lives, and much of their lives are experienced online -- unburdened by privacy concerns.
I saw a stunning example of this on Friday, when I and more than 1 million other Bostonians were locked down at home and glued to our media as police swarmed a 20-block radius in search of suspect No. 2 in the Marathon bombings. TV was interesting to watch, especially when I had secondary online super-sources. Thanks to my well-connected daughter, one of the Twitter feeds I followed was Michael Skolnik's, co-president of New York-based GlobalGrind.com. Although farther away from the action than the TV cameras and on-site reporters or than I, he was tapped into police scanners, FBI sources, news sources and who knows what else. All I know is that he divulged, with remarkable accuracy (I later learned), moment-by-moment details of the final push to the boat hideout of wounded suspect Dzhokhar Tsarnaev. Before anyone on any of the TV stations I was surfing knew it, he knew that thermal cameras had picked up the heat signature of a body in the boat. He knew when the suspect sat up and when he lay down. He knew when negotiators were using a bullhorn to communicate with the suspect, even as the TV reporter on the scene dismissed the sounds as crowd noise. He had a picture of the handcuffed suspect, captured on a cell phone, when TV news people were still uncertain if the 19-year-old was dead or alive, much less caught.
How did he get all this info? The police, the mayor, our governor and other officials were tight-lipped about even the most basic details, yet somehow this guy in New York was giving a blow-by-blow account of what was going on. A security breach? You bet. But on whose part -- an officer, a SWAT team member, police scanners, citizen reporters? It hardly matters, because that's what happens when people become accustomed to living life online. Was there misinformation? Yes, but errors were corrected quickly, washed over by a flood of new up-to-the-minute details. That's what happens now that people are living the e-life.
Recent CIO Matters columns on the privacy crisis
Workplace privacy enters uncharted territory
Big data vs. personal privacy, watch out!
Privacy is gone -- the lack of it helped solve this horrible case; it also allowed Skolnik's 100,000-plus followers to be "embedded" in the action. So, as we try to make sense of workplace privacy, just don't expect too much from employees, at least when it comes to forming a human firewall against security threats. Increasingly, we prize "our" right to know more than "their" right to privacy, whether the "they" be a company, diplomatic cables, a government agency, a university archive's published material, a marathon runner with his legs blown off or a handcuffed suspect.
Let us know what you think about the story; email Linda Tucci, executive editor.
This was first published in April 2013