Talk is cheap: learn to use it carefully

Others will dismiss it as nothing but hype designed to shift new credit cards armed with anti-ID theft devices – mostly branded packages of advice available publicly elsewhere.

A few years back, I had a conversation with a senior executive of a major software security firm. He revealed his disappointment that German police had caught a notorious young virus writer, but added the optimistic comment that there would be another headline-grabbing virus writer along soon. An expectation that has, so far, not materialised.

These conversations show how talking up a threat can prove rewarding if one is looking to shift a few extra financial products or anti-virus suites, especially to the consumer market. Good business but not, in a wider sense, necessarily a good thing for business.

Cheap talk works so long as the threat is, or at least can be made to look, authentic. If, and when, those threats prove less than serious, consumers are less inclined to believe the next scare or threat. Tabloid scare stories on Avian flu have had a similar effect.

Unfortunately, consumers carry the same attitude into the office as employees. When confronted with your carefully worked out, and fully-justified, security policy they might feel justified in taking it less than seriously.

And as Robert Jacques outlines in his feature on network access control, this is more worrying when employees start working outside the company perimeter: the relaxing confines of the hot-spot-enabled coffee shop tend to lower the guard still further.

Meanwhile, the burly security guard who can't keep awake at night isn't just lacking sleep, he lacks responsibility. The successful implementation of any IT security policy and infrastructure, in and out of the company, depends on the active participation and responsible actions of your employees.

That can only come through enlightened employee education. A sensible, rational programme of security education could at least avoid the embarrassing headlines after stolen laptops and employee data fall into the wrong hands. Education means more than flinging the company handbook at new starters. Employees need to be schooled in the value and need for security in the company that they are a part of – not just the rules and how to obey them.

Business too often overlooks the human-shaped part of the security equation. A carefully worded conversation with your employees could prove highly cost-effective.

This is my first issue as editor of SC Magazine. This is a great industry to be part of and I am very pleased to be editing the leading title for IT security professionals. I look forward to engaging you through these pages over the coming months.