Wikileaks: Lessons for CEOs. Information Security Management is there to protect, not to ignore
Like nearly everyone else on the planet, I've been transfixed by the ongoing saga of WikiLeaks' release of hundreds of thousands of secret diplomatic cables. Leaving aside all questions of the ethics or criminality of either the leakers or the diplomats whose activities were revealed, it's a fascinating story about information security -- or the lack thereof -- with important implications for any organization that feels a need to protect some of its information from prying eyes.
The main lesson is simple: information security is hard.
If the US State Department and military can screw up this badly, every organization on the planet should take a hard look at their own internal competencies. And make no mistake about it: whatever you think of the leakers, they have revealed an appalling lack of sophistication about how information should be protected in the age of the Internet.
I'm not privy to the internals of the affected systems, so my information is based on possibly-flawed news accounts, but the emerging picture is astonishing. It appears that anyone with the lowest level of security clearance is able to gain access to far more information than he needs for his job. Otherwise, it's hard to imagine how anyone -- even with a much higher clearance -- would be able to download so many documents without being noticed.
An important corrolary should also be obvious, though hard to enforce: even the most important users need to take security protocols seriously!
If the Secretary of State is going to authorize an obvious no-no like stealing credit card numbers and other personal information from UN diplomats, she shouldn't say so in a document with the lowest level of security classification. All the security mechanisms in the world are to no avail if important people are allowed to ignore them. This has implications for every CEO in the world: as important as you are, your information security team should have a veto over certain kinds of actions that you might take.
To paraphrase Lord Acton: in the age of the Internet, absolute power can embarass absolutely.
But the most important lesson from this sad affair may be the importance of truly independent third parties.
It's incredibly hard for an IT security specialist to stand up to a CEO or a Secretary of State. It's more likely to happen when that specialist is relatively protected, as part of an independent organization whose sole job is to protect and secure information for a client organization. This is why we have independent auditors and certifiers and consultants, and it's also why most organizations are better off outsourcing most of their information security tasks. (Knowing who to trust in such outsourcing is no easy matter, but it's easier than knowing everything about information security policy internally.)
I'd love to brag about how Mimecast's customers appear to have better security than the US State Department. But the revelations about the latter's information security are so distressing that it's a shockingly modest claim, and one that I hope most of our competitors can also make. Nowadays, outsourcing much of your information security to almost any specialist company is likely to yield better results than trying to do it yourself, whether you're a small law firm, a giant multinational, or the most powerful government in the world.