 |
| Image from Pixabay |
“Yes
officer, this is indeed my car, but the broken rear light really a fault of the
garage. They serviced the car a month ago!” Most reasonable people will
understand that they can't get away with that. That car is yours and you are
responsible for the proper functioning of all legally prescribed facilities. And
that’s the end of it.
“Information
security starts with an i, so ICT owns it!” Someone actually said that. Do you
see the parallels with the previous paragraph? In both cases there is someone
who either wants to bluff himself out of his responsibility, or someone who
doesn't know what's going on. In either case, it's high time to get things in
order.
I'm
not really sure where the word 'ownership' comes from. Is it ICT jargon? Is it
some kind of euphemism for ‘responsibility’? Anyway, that's what it means to
me: if you own something, you're responsible for it. And that responsibility –
of course – also includes the security of the thing in question. There are data
owners, system owners, risk owners, and yes, even our intranet has a product
owner; whatever you can come up with, there will be an owner. Incidentally,
ownership does not go so far as to allow you to take home the thing that you
own in a business sense – you own it, but it is not your property. All very
complicated.
It
took years for data ownership to be well established. Everybody would dodge the
issue. The word ‘owner’ often has a positive connotation, the word ‘responsibility’,
on the other hand, implies a heavy burden. Especially when it comes to the kind
of data we are dealing with. But it worked out in the end and progress is still
being made in the area of responsible data handling. Since last year we even
have data stewards. These are colleagues who supervise the correct
handling of data.
Back
to the quote in the second paragraph. I don't know who said that, but it shows
little insight into how things work. If you leave out the first part, “information
security starts with an i”, which may have been meant to be funny, what then remains
has long been a fairly common view: the IT department is responsible for
information security. And there will still be organizations that are set up
that way, or – even worse – that work implicitly this way. That is worse
because responsibilities are not assigned, but everyone tacitly assumes that
ICT is running the show. But even if it's explicitly set up that way, it's no
good. Why? See the first paragraph. Just as the garage is not responsible for
the correct operation of your rear light, the IT department cannot be
responsible for the security of an organization's systems. ICT is merely
advisory, executing and enforcing: based on our specific knowledge, we help the
business to determine the rules of the game, we implement those rules and
monitor compliance with them – on behalf of the business.
A
structure like that is also likely to be encountered if you delve deeper into
the organization. I work in the IT department of our organization, in a team that
is accountable for the security of everything that IT department does. It is
important to understand the term ‘accountable’; that is quite different from
'responsible'. The latter term is a management thing: every manager is
responsible for the security of the things he has under his care. On the basis
of our accountability, we ensure that managers fulfill their responsibilities
and we help to achieve and maintain that situation. We should all keep in mind
that security is not a product, but a process. In other words, it's never
finished, but it keeps getting better.
Yesterday
I saw a nice little example of taking ownership and responsibility. I was
standing in a crowded train when two men made their seats available. They
worked for the railroad company and apparently company rules state that paying
travelers have more right to a seat than staff. They might have thought: no one
knows that we work for the railroad company, we'll stay put. But they didn't.
It was 'their' train, but also (at that time) their responsibility to
facilitate travellers. Neat, gentlemen!
And in the big bad world…
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- good documentation is a precondition for responsibility.
- Microsoft's Active Directory sometimes offers broader access than desired.
- a Russian spy arrested in The Hague was promoted to head of a notorious hacking unit of the GRU.
- tech
journalist
Daniël Verlaan
has made
an interesting podcast about identity fraud.
[DUTCH]
- the
European Cyber Resilience
Act could
do better. [DUTCH]
- the
cybercharlatan saga continues. [DUTCH]
- you
need to update Outlook, right now.
[DUTCH]
- the
Amsterdam court gave Facebook a firm privacy scolding. [DUTCH]
- a
colleague tipped me off about these somewhat old, but still useful security
tips for journalists (and for you).
[DUTCH]
- your Samsung phone may be vulnerable to a number of unpatched vulnerabilities.
- it still makes sense to install a virus scanner on your Android phone.
- Twitter is used for scamminga.
- the
police are looking for volunteers in the fight against cybercrime. [DUTCH]
.jpg)
No comments:
Post a Comment