A child with a chocolate-smeared shirt says, "I didn't do it." The phone rings, and Mom assures you, "There's nothing to worry about." A systems administrator carrying a box of tapes says, "We'll have everything back up in a few minutes." Sometimes the first words you hear -- despite their distance from the truth -- tell you everything you need to know.
That's so with information security as well. Some words sound reassuring at first glance, but I've found they often point to problems safeguarding internal information assets and technical resources, or with the people and processes that protect them. Here are a few of the telltale phrases signaling that security trouble could be boiling over.
"We have a culture of security."
No, you don't.
I hear this most often from enterprises that started as a five-person mom-and-pop shop, went corporate as they grew, then blinked and found themselves operating with a thousand people and no governance or policies. Three dollars and their "culture of security" will get you a fancy cup of coffee in a quiet cafe, where you can contemplate how much work there is to do.
The simple fact is that without supporting directives or a mechanism for feedback, security is defined differently by each person and verified by no one. There is no metric for compliance with a "culture," and a "culture of security" is overridden by a culture of "get the job done" every time.
If there are rules, write them down. If technology is put in place to implement or monitor the rules, write that down too. If people break the rules, follow up. If the rules prevent legitimate business from getting done, change them. It's that simple.
"IT security is information security here."
Information security is not the same thing as security in information technology. If the term "information security" is used interchangeably with "IT security," it invariably means that no one has made fundamental nontechnical security decisions and that affected departments -- IT, human resources, legal, audit, and perhaps others in your organization -- are guessing what the others mean.
Get together with those who have influence in the departments above, and decide whether information (not paper documents or equipment) is an asset of the company, just like computers and paper clips. Decide whether the company authorizes people for jobs, physical access and information as individuals. Make these policy decisions as a group, and have them signed by those with authority. Then perhaps there will be more time in the day for deciding how to manage security instead of guessing what.
"That doesn't apply to the boss."
Though it's becoming less of a problem in public companies thanks to the Sarbanes-Oxley Act, occasionally an executive simply refuses to follow security or privacy directives he approved. Unless you're prepared to meticulously document misdeeds in a forensically sound manner and then take them to the board of directors or the police (or quit), you'll just have to work around it.