Clearly employees are the core of any truely successful security program. Unfortunately, in many businesses, reporting security concerns can also uncover management problems, and most bad managers are highly unlikely to escalate anything that will make them look less than perfect. And, if you have a corporate culture that promotes bad managers, that's the same type of culture that is willing to punish employees for speaking up. Ideally all employees should be able to go to their in-house security team with reports of security concerns or policy violations, without fear of retribution. Unfortunately, I don't that think is the reality, particularly for Information Technology staff. So, those that are the most knowledgeable about security problems, very often are prevented from reporting it. After all, it's easier for a bad manager to lie to the security team than admit to senior managment that "No, we haven't really been doing the security evaluations on our application code for the past 3 years because I wanted to meet or beat every deadline you set on me for code releases, even though I only have only 1/3 of the staff I need to do what you want." In a perfect world, all managers would put the company's security concerns before their own self-interest. But we don't live in a perfect world.
Five Ways to Turn Employees into Security Assets for Protecting Data
Trend Micro's Glen Kosaka explains how to prevent data leaks by raising security awareness and gaining employee support
» View Article
Clearly employees are the core of any truely successful security program. Unfortunately, in many businesses, reporting security concerns can also uncover management problems, and most bad managers are highly unlikely to escalate anything that will make them look less than perfect. And, if you have a corporate culture that promotes bad managers, that's the same type of culture that is willing to punish employees for speaking up. Ideally all employees should be able to go to their in-house security team with reports of security concerns or policy violations, without fear of retribution. Unfortunately, I don't that think is the reality, particularly for Information Technology staff. So, those that are the most knowledgeable about security problems, very often are prevented from reporting it. After all, it's easier for a bad manager to lie to the security team than admit to senior managment that "No, we haven't really been doing the security evaluations on our application code for the past 3 years because I wanted to meet or beat every deadline you set on me for code releases, even though I only have only 1/3 of the staff I need to do what you want." In a perfect world, all managers would put the company's security concerns before their own self-interest. But we don't live in a perfect world.
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK