Wednesday, June 22, 2005

Key to the Gate

Jeff over at HIPAA Blog gets all the best comments. Right now he is involved in a dialog with Diva of Disgruntled that points up a number of issues. From what I can tell, there is plenty of wrong to spread around, and some foolishness and poor judgment on both sides. The situation makes a good example of what can happen when an employer (in this case Kaiser) exposes themselves to an unhappy ex-employee. Some important points here:
Your biggest threat is from within. We spend tons of time building defenses against the uber hacker when most of the time he really isn't all that interested in us. These defenses are important, though because part of why he isn't interested in us is that we are hard to crack, and there are so many other easy targets out there. Anyone who wants to understand how most hackers work should read a good history of the campaigns of Caesar Borgia, Lucretia's older brother, and the man that Machiavelli based The Prince on. Borgia conquered most of Italy in a very short time, mostly by not conquering it. If a city was a hard nut to crack, he bypassed it, knowing that there were plenty of easier targets. If he really wanted a city, and the defenses were strong, he bribed someone inside to let him in.
Think about it. Who knows your defenses and systems? The folks who work with them, or in this case someone who used to work with them. And who is most likely to want to do you harm? Some joyriding script-kiddy out to show his buddies how good his kung fu is, or someone who feels they have been done wrong, and who has little to lose?
So what do you do to minimize your exposure here? Like everything else it is way better to prevent fires than to be a fireman. Screen your employees carefully. Treat them well. Monitor their activities. And make sure that you terminate them with dignity. Fighting with someone over a few dollars of unemployment insurance may save you some pennies in the short term, but you will make an enemy of someone who has the keys to the postern gate, a map to the stronghold, and the secret password that opens the citadel.


michael said...

So this is from the better to light a candle department. Rather than complain about no commnets, I'll make one.
For those who actually are interested in Borgia, I can recommend Banner of the Bull by Raphael Sabatini, the guy who, along with Alexandre Dumas, pretty much invented the swashbuckler. It is fast paced, lurid, and reads like, well, any other Sabatini book like Captain Blood, The Sea Hawk, or Scaramouche, which opens with my favorite narrative hook: "He was born with the gift of laughter and a sense that the world was mad."

disgruntled said...

It's nice to see someone on the security/compliance side go beyond the "danger from within - your employees are your enemies" stance, to consider that the best way for employers to reduce these problems is to do the decent thing in the first place. Employers seem to think of their business interests as some absolute, universal law rather than something that is cultivated through fair and responsible treatment of people.

I think it's a mistake to screen for loyalty as a character trait, because loyalty is something that's developed through a relationship. Even a person who holds loyalty as their highest value might jump ship if they were chased: and for that person it's all the more traumatic to be pegged as disloyal by "screeners" who really know nothing about nothing.

If I were running a company with data security concerns, what I would do is hire people for their skills and a genuine interest in pursuing a career with my company. Then I wouldn't squander this person's motivation for coming to work for me. I would try to build a culture of long term careers and rewards for good service, and I would try to reduce turnover as much as possible. Volatility is in the turnover. I'd also get rid of all the pop psych mumbo jumbo and accept that employees are people with their own lives, experiences, and searches for meaning. I'd put all my energy into making sure people know what their job is and limit my concerns to whether they are doing that job. I'd emphasize testing for new positions to reduce unhappiness caused by politics and managerial scheming. If any problems should arise, I would not resort to shredding the documents, discrediting the witnesses, manipulating the process to prevent a fair hearing, etc. Do I get to be CEO now?