A Business Technology Place

The data we see

What we see

When I was an intern in college I worked as a desktop service technician for computer support. I remember an internal financial auditor on the fourth floor of my building that I would occasionally help. Reese was much older than me, but took time to talk to me about life as I fixed his computer. I wish I would have appreciated it more at the time, but I was young and learning my way in a corporate environment.  I thought about him recently because the world of auditing and compliance is changing rapidly in the areas of security and availability of data. While Reese was making sure our company followed GAAP for our financial books I wonder what he would think about compliance controls for information security.

Our news feeds are filled with incidents, thefts, and breaches of company assets involving personal and protected information. A whole new generation of auditors is here to check compliance with controls for how we protect data like credit card numbers, health records, and education records. Identity thieves and hackers have created a gold-rush in recent years to steal data bits that when assembled correctly tell them about you and me. Digital gold.

What we do with it

Today, I have to answer the auditor’s questions about controls in the audit. Unlike my time with Reese, I’m no longer part of the auditor’s day to fill time with a nice break and chit-chat. When I am answering an audit, I often try to really understand the basis of a control or as I as the “spirit” of what the control is trying to achieve (auditors don’t always like this, they’re often a bit stiff).

But here’s my take. The essential question behind the myriad of compliance controls is “what do we do with and how do we protect the data we see in our jobs?”  The intention of the controls is to modify our behaviors to take greater care of the data we see. To do this we have to modify our behavior to treat the data we see like our personal accounts. That means we have to consider who has access to the data. We have to consider the classification of the data we see (confidential, private, restricted, public, etc.) and take action to protect the data in storage and transit.

Thieves rely on our inconveniences to be successful. Restricting access to data in storage and transit is rarely convenient. It requires we think, classify, and take action. It could mean we need to password protect a file, use a secure site for sending a file to a customer, or check to make sure the network folder is only accessible to people in our immediate workgroup. But it doesn’t stop there; sometimes we need to challenge people asking for information.  Tailgating and phishing are made possible because it is uncomfortable for us to challenge people.

Behaviors worth changing

One thing is certain. We are stewards of the data we see each day. Our customers expect us to treat the data with confidentiality and care as if it were own personal data. Forming good habits in data security is worth a little bit of hassle. So here are some practical steps I can offer to help us be better stewards of the data we see each day at work:

  • Take the annual Information and Security Awareness training seriously. Much of the information will repeat each year, but it serves as reinforcement for good habits and the tactics used by thieves.
  • Be cognizant of the data we handle. Classify the data and treat it accordingly. This may mean marking the data classification on documents, storing data in secure places, or using encrypted controls for transferring data to others.
  • Challenge others who ask for access to data. Make sure they truly need access to the data to complete their assigned job function. Make sure they understand the classification of the data.

It’s rarely convenient. But it’s worth the effort.

Onward and upward!

Photo credit: Robert Couse-Baker via creative commons

Revisiting – What are you known for?

Deja Vu

I recorded a few rambling thoughts one day after work this week. That’s how many of my blog posts originate. Things happen through the course of a day that stick with me into the evening. When I jot down my thoughts, I see interactions with people, process observations, desires for a better solutions, and things I want to change.

This week I looked over my notes and thought, “What do I want to be known for?” It’s a question I knew I had asked myself in the past. Three years ago, I wrote a post entitled What are you known for?  In that post I expressed my desire to be known more for providing solutions over following processes. I’m a practitioner of following processes, but the process itself isn’t bigger than the results it provides.

Dr. No

Fast forward to today. The Information Technology landscape is increasingly burdened with applying more security and availability controls to keep customers data safe and to achieve compliance with standards. But compliance is never convenient. The IT guy is caught in the cross hairs of a battle between making the work environment more secure and the extra burden it places on other employees. Burden in this context means restrictions. Lots of them.  

Traditionally, IT has been known as Dr. No. There are restrictions on what hardware employees can use and what software they can install; Internet sites are blocked, software can’t be downloaded, etc. This is the seed that birthed Shadow IT where departments arrange and install software outside the approvals and processes of their local IT group.

A better way

I’ve had too many experiences in my career watching people telling someone else they can’t do something for one reason or another. It’s not only frustrating; it drains the energy and motivation of those involved.

But it doesn’t have to be this way in every situation.

A better partner explains the constraints of the problem and solution. Instead of ending a discussion with ‘no’, he or she will offer alternatives for a solution.


“We can’t do that for you, but what we can do is this…..”

“That’s not possible, but I know a way that is….”

“We are prohibited by policy/contract/compliance control from doing that, but there a few different ways to accomplish something similar….”


Of course, the person on the receiving end has to be able to compromise and think about the solution in different way as well. It takes two to make the partnership happen.

If you are a solution provider, don’t stop at the word ‘no’.

If you are a solution receiver, be open to alternative ways of doing things.

What do you want to be known for?

Onward and upward!


Rethink IT Compliance

Compliance initiatives are viewed from the wrong lens.

Every week I look at requests and responses for technology and security compliance matters. Typically, I communicate this information with compliance based personnel for a customer, the sales organization, or the lawyers. The focus of process is to get answers to check a box and then move forward with the sales process. Speaking candidly, most of the people in the communication chain don’t really care about the content of the compliance controls. The process serves as a means to an end.Peephole


Compliance controls are put in place for a reason and are well intentioned to make workplace environments safer for both customers and employees.  But I thought of three reasons why compliance controls cause angst and are often viewed negatively in a business environment:

  1. The compliance documentation is reviewed at the end of the sales process when it doesn’t influence decision making but becomes part of a check-list to get signatures on a contract.
  2. Compliance is viewed as a cost center and not an asset for winning business.
  3. The compliance documentation does not add value to the customer because documents are managed by a group that doesn’t use the product or service that is purchased.

Look at examples from other industries.

In the food and service industry it is required that restaurants post their health score inspections in a visible location. I look at these scores periodically and a low score has given me reason to pause and think before ordering to eat. In this example the health score acts like a compliance report and is posted in plain view so the customer can view it before making a decision to purchase.

While not a standard, a few car dealerships will put an inspection report inside of used vehicles on their lot. It shows a potential buyer what was discovered during an inspection and if the issue was repaired. This is a quick view grid that allows a prospective buyer to weigh the cost and value of a vehicle prior to purchase. For the dealer it becomes an asset that represents an investment in the product they are selling. The last used car that I purchased had one of these reports and for me it was the difference that made me a purchaser.

Rethink IT Compliance.

Taking the lead from my examples from the food services and automotive industry I think we could bring more value to IT compliance work by changing the lens and refocusing our view.

  1. Present a summary grid of IT compliance elements at the beginning of the sales process with prospective buyers. Rather than viewing the document as a check-list the Sales organization would view the information as part of a selling tool and they would be more engaged with the content of the compliance process.
  2. Present compliance work as an asset and differentiator rather than thinking about it as a back-office cost. Let customers know that the company has made an investment in controls mitigation and best practices. This becomes not only an asset to the product and service that is sold but speaks to the culture of the organization doing the selling.
  3. Allow the end customer to see the list upfront. This should be a simple one page document that shows the tests, policies, and initiatives related to compliance and regulatory controls. This allows the customer to place a value on the process and possibly influence their behavior to move to the next step of the buying process.

This could be done in such a way that it doesn’t expose detailed secrets about what vulnerabilities exist in the security control findings. Remember, it should be a one page grid summary. Things like what policies are in place, what standards are used as the basis for security policies, are routine scans and penetration tests performed, etc. If the customer has a compliance group and they want to see more details or examples then you could provide that later in the process.

Onward and upward!

Photo credit: Iwan Gabovitch via creative commons.