Career Insights with Upasana Gupta

The 'Need to Know' Has Got to Go

The 'Need to Know' Has Got to Go

Recently I was chatting with an IT Risk professional with a medium-sized bank, and he mentioned he's having difficulty getting management to share security-related information.

Whenever fraud detection and data loss are discussed, management effectively resorts to secrecy, withholding information related to security breaches, potential sources and loopholes in the system, impact of these breaches on an organization's overall business.

Why is management so closed-mouthed? For either self-serving reasons or simply to avoid embarrassment. And it's not a situation unique to this one organization. Rather, it's too common a scenario throughout the public and private sectors.

No question: Management must focus to protect information that would otherwise compromise security. But what's missing is management's ability to face information security in its entirety and dictate actions at questionable crossroads by acknowledging a vulnerability or incident, then discussing these issues openly with employees to get fresh perspectives and perhaps an effective solution to existing problems. (See my other recent entry, "Information Security ... and Ethics."

Individuals will make better informed decisions about what knowledge to share if they are provided with information about the value of the knowledge being considered for sharing. By understanding the context, the employees will assess consequences of their actions in a more balanced way and learn what they need to share and collaborate to get things done.

Without transparency, there cannot be trust and action of accountability in employees; therefore, little progress.

As a community, we just witnessed the firing of Bob Maley, a former CISO of the Commonwealth of Pennsylvania, who during the RSA Conference shared unauthorized information about a security incident. As a reward for his frank and open discussion of this security incident, Maley was promptly dismissed when he came back to work, partly because he discussed state information without obtaining prior approval.

If we are looking to prepare ourselves for the future, it is essential for management to take a step toward transparency and openness, to move from a culture of "need to know" to "responsibility to provide."

Today, it is not enough to discuss these issues within four walls of an executive board meeting; it is time for management to be transparent and provide tools to keep employees dynamically informed of what's going on and what actions collectively can be taken toward existing issues. Organizations going forward will need to invest in employee relations, establish ownership and trust to encourage both knowledge sharing and secure behavior.

Perhaps we'll get to a point where people are punished for what they don't say, as opposed to what they do.



About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.