Policies and Procedures – Page 108 – IS Survivor Publishing

Outsource security? Probably not (first appeared in InfoWorld)

How much freedom are you willing to trade for security?

Carlton Vogt has been exploring this subject in his thought-provoking “Ethics Matters” columns, available on Infoworld.com. It’s a complex, difficult public policy issue, which means it’s better suited to happy hour than business hours.

During the work day, your worry is how much flexibility you’re willing to trade for IT security. The issues are similar. Unlike national security, though, IT security is a day-to-day worry for any CTO or CIO who deserves to hold onto a job.

Chad Dickerson appears to like the idea of outsourcing IT security. I sympathize, too: IT security is a difficult, highly technical, rapidly changing, irritating, expensive, and worst of all non-value-adding function. Most CTOs hate dealing with it almost as much as they hate the result of not dealing with it. And for smaller companies that lack enough mass to fund a full-time IT security position, outsourcing might be the only realistic option available.

Outsourcing IT security worries me, though. No, not because you can’t trust any outsiders with the keys to your kingdom — “Who watches the watchers” is just as big a problem with employees as outsiders.

Here’s my concern: IT’s job is to make employees and business functions more effective. That means delivering as much functionality as possible. In terms of technology this means access to information and transactions from wherever employees happen to be working.

From a security perspective, the richer the functionality and more broadly you make it accessible, the more security holes you open up. “Flexibility my eye,” I’d say if I were contractually accountable for your security. “I’m going to lock down everything that isn’t absolutely necessary to have open. Prove you need it or you can’t have it: That’s my motto!”

By staffing the security function internally you have at least a fighting chance of achieving a balance.

But IT security is still a difficult, highly technical, and rapidly changing field. It’s hard for an internal security staff to stay current, it’s easy to become spread too thin, and establishing necessary boundaries can be awkward when you’re a staff member.

So after you staff the function internally, make sure you schedule regular IT security audits with an outside specialist.

Flexibility is important, sure, but you still need someone to watch the watcher.

The uselessness of race (first appeared in InfoWorld)

Recently, I filled out our application for a marriage certificate. I began with the section titled “Groom.” Last name, first name, middle initial … fine. Sex: M or F. Huh?

As Minnesota doesn’t recognize same-sex marriages, the number of female grooms is low enough to ignore. Still, there was no point in arguing, so I circled “M” and moved on.

Next on the form was Race. There wasn’t enough room to write “disproved hypothesis,” so I left that box blank.

As a concept, race belongs in the scientific dustbin, right next to inheritance of acquired characteristics and the luminiferous aether. Because while racism is alive and well, race — which always should have been irrelevant, other than in situations guided by affirmative action — turns out to be a useless way to categorize humanity.

Race would mean something if a variety of different traits were genetically linked — if, that is, they assorted non-randomly in the population. It turns out, though, that (for example) skin color, height, eye color, and heritable cognitive characteristics have no discoverable genetic linkage. They don’t follow each other around.

People being what they are, the scientific evidence hasn’t settled any social issues. Citizens of African ancestry whose forebears arrived in this country as slaves continue to experience social hindrances, and we’re as far from finding effective remedies as we’ve ever been.

Nor is this an abstract issue in IT. Look around you — I’m willing to bet most of the faces you see are relatively pale when compared to the population as a whole. Listen, too: How many out-of-work programmers simultaneously proselytize libertarianism and demand government protection from “Indian and Pakistani H-1Bs.”

Any outplacement firm will tell you: People tend to hire people like themselves. Job seekers are advised to be as much like the hiring manager as possible. When you’re on the other side of the desk, interviewing job applicants, do you notice skin color first when the applicant isn’t pale (assuming that like most IT managers you are)? That doesn’t make you a racist — classifying others as my-group/not-my-group is probably an inherited predisposition. Still, it puts not-my-group at an automatic disadvantage.

As a hiring manager, you have an obligation to suppress this natural tendency. You’re supposed to hire the best applicant, not the one whose appearance is most comfortable.

That’s business. There’s social fallout too. Because no matter how often the tiresome phrase “playing the race card” is used to wave away these issues, disparities between races in this country are growing … no matter how little “racial” actually means.