Imagine the following scenario: You are told that the security of your company is about to be compromised, and you have the ability to stop it. You have the option of implementing appropriate IT security technology and processes, and in doing so you can save the company – and possibly people’s lives.
However, if you act, you will lose your job because your actions will upset incumbent stakeholders who do not want the regulatory oversight or operational changes that the security solution provides. So, do you do the “right thing” and protect the company or do the “right thing” for your family (keep your job) and just let it go?
While it may sound unlikely, this is the Faustian dilemma faced by many C-level executives in companies that trace their history back more than 100 years. These are the companies and providers that are part of the Critical National Infrastructure (CNI) that President Obama has been working with to provide a significant defense against cyber-attacks.
At The Core: We Don’t Need Information Security
The best way to describe the current CNI cyber-security situation is as a deadlock between the status quo and a secure future. As strange as it may seem, executive management within CNI is being held hostage by employees who have no reason to improve security. Further, any attempt to implement new rules, accountability and security technologies to provide defense go up against an impenetrable wall.
However, in the face of federally mandated rules to implement security technologies – such as privileged identity management - all sides find a politically acceptable solution. In effect, security is not at the discretion of management or labor, but is implemented for the general public welfare without any negotiation or confrontation.
Information Security: Technology and Culture
By definition, there is no best outcome to a Catch-22. When it comes to security, technology is important, but culture and business realities can make the “right” decision a deal with the devil if there ever was one. The nice thing about a law regarding security is that “right” can be a lot clearer to define and implement.
What do you think? Leave a comment below.