Recently, the refrigerator here at CIO started to stink. It wasn't a vague, something-spilled-in-there smell. It was a reeking, something-died-in-there odour. We were all aware of the problem. Someone even put a yellow sticky on the door that read "Clean Me — I'm Stinky!" But for more than a week, none of us did anything about it. As long as we could get our coffee, hurrying out only slightly dizzy from the noxious air, we all used the same thinking: "This is a problem, sure, but it's not my problem."
At the same time as l'affaire fridge, CIO was holding a Reader Breakfast, in Austin, Texas. A Reader Breakfast is where reporters and editors meet a group of technology executives and listen to whatever's on their minds. One of the attending editors reported from Austin that there were "lots of votes for security as a hot issue in a global sense, but not the number one issue for CIOs personally." You see where this is headed: information security is the stinky fridge. Everyone knows it's big problem, but no one feels like it's their problem.
This actually signifies progress. Until recently, denial abounded about security's fundamental role in the enterprise. It was as if someone here had walked by the kitchen and said, "I don't smell anything." But any remaining traces of that mentality disappeared in the wake of another remarkable string of security failings: Nimda, 9/11, Code Red, instant messaging vulnerabilities, Windows XP security holes and the recently found SNMP vulnerability that allows systems to be taken over easily if SNMP capabilities are turned on. It affects millions of routers from hundreds of manufacturers. If you can't smell it now, you don't have a nose.
The security officers we speak with, though, say that all this awareness has been coupled with remarkably little ground-level efficacy. They say that the CIO needs to turn awareness into action. Raise budgets. Educate. Create policy.
So far, as the Reader Breakfast indicated, progress is slow. Many of the security experts say that the only effective way to create action out of awareness is the old standby technique — scare the bejeezus out of the C-level execs.
Two quick examples of this. The first one comes from the former chief information security officer of a large state agency: "I entered my CEO's office very early one morning and 'borrowed' diskettes, file folders, a laptop and a few other critical items left on his desk. I then invoked a 'Go 'Niners' password-protected screen saver (naturally he was a Raiders fan) on the PC. I returned a few minutes after open office hours, coffee in tow and was greeted with an ashen-faced CEO and a shaky request for a confidential talk — immediately. We had a lovely discussion about security."
The second example comes from a security IT staffer, who would from time to time chat up his CIO. "I'd tell him about some hack in the news," this staffer says, "and I'd try to explain how it would work in our department. I'd get just to the point when I could see his wheels were turning, where he was getting nervous, and then I'd say, 'Great talking to you, I gotta go.'"
This will work to a point. But eventually, CIOs need to be a little more proactive and take ownership of security problems. It's not enough to simply acknowledge the issue is out there, like a funky smell wafting out from the kitchen. Better to deal with the issue before you discover what I did: a quart of chunky half-and-half that was six months old, and a fuzzy turkey sandwich that probably could have walked itself to the garbage. Eventually, you're going to have to clean the fridge. Don't wait for someone else to do it. It is your problem.