If you want to be in direct command of a U.S. aircraft carrier you must be a pilot or navigator. There is a very good reason for this. Despite the fact that there are thousands of personnel on these ships, many with very responsible jobs indeed, what really counts are the aircraft and the pilots that man them – and the Navy knows it. They also know that if they want the mission to be carried out successfully they need an individual in charge with all the right knowledge and perspective to support these most valuable assets. Not a captain that made his rank by being a wiz at logistics!
Some of this same wisdom should be applied to leaders of government agencies and businesses that store and process private information. Do we really want people running our organizations who are not well versed in computers and information security? After all, these machines are not only vital components of our business practices; they hold the keys to the kingdom as well!
Take the recent Office of Personnel Management (OPM) debacle as an example. This agency had been warned repeatedly about the lack of security in their systems, but little or nothing was done about it. Result: four million personnel files compromised. That’s one out of every 80 people in the country! And the reason for this failure seems to be simple ignorance and inexperience on the part of staff.
One lesson that has become brutally apparent from my risk assessment experience is that if upper-level management isn’t behind the effort, the risk assessment is doomed to fail. I’m sure this is true of general information security programs as well; if upper-level management isn’t knowledgeable and interested then the information security program is doomed to fail – and the bigger and more entrenched the bureaucracy the more this is true.
Now, I’m not saying that I think all CEOs should be recruited from the ranks of IT security. What do most of us know about running a big organization? What I am saying is that I think a certain level of expertise in matters computer and security should be a requirement of any job that oversees the processing and storage of our private information. Especially since computer systems are going to become increasingly vital parts of our everyday lives as time goes on.