• Law, Policy -- and IT?

    Tracy Mitrano explores the intersection where higher education, the Internet and the world meet (and sometimes collide).


What's Wrong With This Article?

Time for "information stewardship."

July 27, 2014

“A Tough Corporate Job Asks One Question: Can You Hack It?”

No, it is not the recommended tomato/tomato pronunciation of CISO.   And it is not even the failure of the Times to recognize that in this area, higher education has long been ahead of the curve … a result of the early DARPA/Internet collaboration that recognized network and technical security as a distinct area of expertise long before the role became instantiated in the private for-profit sector.  It is the implicit reductionist assumption that the “Internet” is only a technology.  The cure to its criminal ills is therefore thought to be singularly technical.  No wonder the story ends with the well-worn three-envelop joke that concludes with the predictable “prepare three envelopes.”

Every CISO who does security can recite the “confidentiality, integrity, and access” mantra.   If your CISO does not also whisper the trope “administrative, technical and physical” in their sleep, hand them the third envelope.  Technical security without administrative and physical controls protects next to nothing in the contemporary Internet.   The Internet is not singularly a technology but a communication medium for information valuable to criminals because it is valuable to the global economy.

Administrative, technical and physical control without governance, compliance and risk management intertwined in its everyday practices is most assuredly a losing game not only for the CISO but also for the institution.   Those controls require a harmonize business environment to be meaningful.  And governance, compliance and risk management without training, education and communication are too insular.  Think of nesting dolls to reach the weakest link of your user base when scoping out the security mandate.

It is strange that the article did not even mention the word privacy, strange because the private, for profit corporate world has long hired Chief Privacy Officers and incorporated privacy practices in its business process for all kinds of business intelligence, intellectual property and compliance reasons. “Information stewardship” is the missing piece to this puzzle.

Billions of dollars and many pink slips later, I guess we all still have a lot to learn.  And so I will conclude with my own hackneyed joke, the one about getting to Carnegie Hall.   In the midst of this challenge, we must continue to practice, practice, practice.




Back to Top