Everyone reports to someone. I discovered this as a “C” coder, as a CIO, and in the role of COO. One of the first lessons I learned (not quickly) about security was a derivative of the adage “expect what you inspect.” With one of my first jobs as a CIO, my CFO (to whom I reported) had a well-placed desire to, as he was fond of saying, “run a sniff test” on anything that was curious. Initially I had varying levels of tolerance for these time sumps. After more than a few instances of “…we are doing WHAT?!?” I found myself firmly in the proof-through-sample camp.
The two most powerful words in security? Prove it.
While on a business trip, I telephonically listened to the chest-pounding, high-five-slapping, wrap-up meeting for an application that would tell our IT team when even a single bit of data was errant on a single POS anywhere in our enterprise. Our 2,600 POS’s were, I was assured, secure. The next morning, I walked up to a POS, inserted a PIN drive and copied a file to the hard drive. I then called my CIO to ask him what POS in our chain had unauthorized software. This simple nontechnical act had a nearly explosive result as my team discovered that they, and their new aegis, had no idea.
Failure to be secure is a failure to lead. One of my favorite quotes regarding security hangs on my office wall:
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
– Bruce Schneier
You will find me personally, and my company specifically, focused on making security part of your business. By simply asking for proof, you can – and will – make a difference.
As a leader, you have the ability to play an effective, and affective, role beyond the conference room. Listen to what your constituents are saying; I attribute my most dramatic, company-saving, disaster-avoiding initiatives to conversations that started with someone saying to me, “did you know that…”
Ask for proof. If it cannot be proven safe to you, regardless of your technical understanding, it should be deemed unsafe. Period.
You want a secure company? Prove it.
– Gary Merry, CEO
P.S. Yes, I am from Missouri.