Nov 01 2006

Trust, But Verify

Technology is a powerful tool. So is integrity.


Photo: Hot Shots Imaging
Jim Shanks
Executive Vice President and former CIO of CDW

Technology combined with integrity is powerful, aiding businesses to prosper and individuals to create, collaborate and explore. Unfortunately, technology in the absence of integrity is still powerful. And its misuse at the hands of information technology and non-IT professionals alike captures an ongoing bevy of press attention: databases compromised for financial gain; privacy rules ignored; IT needs overstated to dupe wide-eyed buyers.

And then IT ethics — rightfully so — are called into question.

That’s where you come in. How well your organization combines technology and integrity is up to you. You set the standard for how IT power gets wielded among your employees, your customers and their customers.

Many security experts believe that it won’t be long before IT professionals with access to systems containing sensitive, private or confidential information are required to verify the security of their systems and data. This would complement, not supplant, signing legally binding company policies to do the same. Think about the fallout of the accounting scandals of a few years ago. The results: federal regulations requiring executive officers to verify the veracity of financial results coupled with severe financial and criminal penalties for misrepresentations.

Certifications may help separate the ethical wheat from the unethical chaff. For example, the SANS Institute, a Bethesda, Md., cooperative with more than 165,000 security professionals, offers classes in IT ethics for those seeking certification in network security. It also stresses privacy in its code of ethics. Those joining SANS must agree to respect the privacy of their co-workers’ information, vowing to “not peruse or examine their information, including data, files, records or network traffic — except as defined by the appointed roles, the organization’s acceptable use policy as approved by human resources, and without the end user’s permission.” They also agree to obtain permission before probing systems on a network for vulnerabilities — a step many security professionals tend to ignore.

This key step is critical for any organization serious about IT. Knowing who has access and who has accessed a system is critical to determining the risk exposure level.

Another option to consider is conducting an independent audit on a regular basis. For most small businesses, that level of scrutiny isn’t affordable or even necessary. Yet to the degree that your company collects nonpublic personal information (NPPI) from customers (basically any information beyond what’s available in a phone book) and engages in e-commerce, it’s worth considering. Call it IT insurance. It’s a step that numerous firms can’t afford not to take.

“It removes the monkey off your back,” says William Cook, a partner and security expert at Chicago’s Wildman and Hartman. “It shows that as an IT professional, ‘I am exercising due diligence and being honest and meeting security standards. Check me out.’ ”

When hiring new personnel, examine backgrounds carefully and know who’s working for your business. “There will always be certifications and oaths, but it’s who is holding those credentials and taking those oaths that really counts,” says William May, CEO of Work Software Systems, a Charlotte, N.C., developer of retail point-of-sale software. “We put a lot of weight on strong personal references when hiring anyone, but particularly IT specialists.”

Which approach works best? All of them help. But none replaces communicating to your employees the high ethical standards that are demanded of them.

Indeed, information technology is too powerful and important to do otherwise.

Jim Shanks is executive vice president of CDW, a $6.3 billion technology services firm, and a former CIO.