I was waiting for a friend in a Baltimore hospital when it dawned on me that I had just used hand sanitizer. I never use hand sanitizer. A dispenser was across the waiting area, and as I watched, everyone who passed did the “sanitizer stutter step” and wrung the germs from their hands without missing a beat. So now I was curious: was this a local or an organizational phenomenon? In short order I found myself, while anywhere in this hospital, never passing a dispenser without reaching out and getting a dose of sanitizer. When I left, I reverted to my same germ-transporting self. I was never asked or pressured into using hand sanitizer, and quickly lost the curiosity as to why I was even doing so.
Only some time later did I realize that the hospital had turned fighting their most harmful enemy, germs, into a cultural practice so well ingrained that even visitors fought the war by means of mimicking the hospital staff. To wage this war, they did not create a “germ” organization or continually pursue the next stronger chemical or newest innovation for disbursement. They instead made fighting their mortal enemy part of everyone’s responsibilities and habits.
The mortal enemy of business today is the loss of information. Billions are lost and billions are spent. We audit, oversee, tech-up, and pursue this enemy, only to see our losses accelerating year over year. We will not change the outcome of this battle until we fundamentally change our information security approach.
We will not change the outcome of this battle until we fundamentally change our information security approach.
The needed changes can only come about when we have, as with the above hospital, made fighting our enemy part of our business process. It takes a commitment to be secure and a community to survive. Yes we need innovative technology, and yes IT must do all they can to protect our data, but security is not the sole purview of IT – it is everybody’s job, even our visitors.
The concept of making security part of your business is not a new concept. But, unfortunately, it’s hard. It’s exponentially harder to make a cultural change to a business, especially with technology as the protagonist, than it is to just continue to buy into security clientelism and purchase a tool or appliance; at least by purchasing something you feel that you have achieved an easily demonstrated accomplishment. Even more unfortunate are the results of our current security approach: over one billion records were lost in 2014 – and an even higher number is expected in 2015.
We believe that the Achilles heel of security today, across all industries, is that technology is being sold and positioned without creating the necessary cultural, maturity, and operational foundation. A security plan can only be effective if it is properly used by all who come in contact with your mortal enemy. We will discuss security weaknesses in subsequent blogs, but rest assured – a company that has not embraced the culture of security is only lucky – until they are not.
– Gary Merry, CEO