*Originally published on LinkedIn April 16th, 2019.
BLUF: Organizations can have both an effective employee InfoSec program and healthy organizational transparency, those concepts are not mutually exclusive. Information carries power. Beware of organizations that circumvent candor as a practice and fail to acknowledge their employees as stakeholders to whom they are always answerable.
I watched “The Inventor…” on HBO a few weeks ago when it aired and I have very important news to share. Guess what? Fraud is not an invention. If it was, I’m certain the volume of patent law suits that would arise would cripple judicial systems globally. I’m joking, but I’m kinda not. Sadly, I didn’t get any epiphanies from learning the details shared in the film. Except, perhaps, that not enough folks who could have helped “nip things at the bud” sooner were able to recognize the need and/or muster the courage to act before things had gone way too far.
The overall purpose of this article is not simply to rag on Elizabeth Holmes or Theranos. However, watching the documentary on that whole clusterf*** did trigger me to want to share some advice that may not have occurred to many people and organizations, unfortunately. In case you haven’t seen it, something the film conveys is that Theranos used the “these are not the droids you’re looking for” approach to evade accountability as questions began to surface. Employees of Theranos (and all other stakeholders too, for that matter) who were growing concerned and raised issues were basically given the “that’s none of your business” treatment, often times under the guise that they weren’t allowed to be privy to the company’s “trade secrets.” Eventually the lid was blown off of the trickery by a whistle-blower employee (great job!).
What struck me as the film shared the accounts of people (particularly employees) who were beguiled along the way and has brought me great concern is the seemingly widespread misconception that organizational transparency and the need to safeguard organizational secrets are somehow competing ideologies which are mutually exclusive. I got the impression that many Theranos employees (mistakenly) believed that the company’s need to safeguard its secrets negated its responsibility to keep its workforce informed and up to date on core matters to their livelihood. Sadly, that misconception fooled (and hurt) a lot of people. I want to help set the record straight and clear up such misconceptions for folks everywhere, especially those who today are working in tomorrow’s next potential Theranos type clusterf***.
First, it IS absolutely necessary for organizations to restrict employee access to all kinds of information. Doing so properly is in the best interest of the “royal we” of employees and all stakeholders. However, doing so properly also means that the organization hasn’t sacrificed its responsibility for candor and transparency. Today more than ever, I recommend that ALL commercial organizations adopt information classification, handling, and safeguarding policies and programs with clear standards (tailored to them) that are constantly communicated so as to become ingrained in their operational culture. I assert that doing so in the right way actually fosters better overall transparency and employee understanding company wide.
Remember, Information Security as a discipline goes beyond digital systems’ cyber security configurations. InfoSec includes measures to safeguard information and mitigate risk from personnel negligence as well. In fact, internal employees are the weakest link and biggest risk to organizations’ InfoSec posture regardless of whether they have malicious intentions or not, and organizations today have more access and responsibility to safeguard various types of information (and “data”) than ever before. Loose lips of the under-educated employee with access, or even one errant click by an employee on the wrong link is truly all it takes for all hell to break loose. The most effective way to strengthen the information custody chain is through employee engagement and training related to the responsibilities for sensitive information stewardship.
Beyond an organization’s trade secrets, strategies, or competitive plans, companies might also have enduring responsibilities to safeguard customer data, employee PII, HIPAA related information, and a whole host of other types of sensitive content. Being transparent about InfoSec and information handling standards with employees in the face of these requirements is an important first step for many organizations to start improving both. With so much at stake these days, organizations who fail to take their InfoSec responsibilities seriously are truly playing Russian roulette with lawsuits, insurance costs, and perceived risk from investors. With every new headline about data negligence, we are going to see higher and higher fines, more legislation, and possible criminal implications for gross failures protecting information as the landscape evolves.
I recommend organizations that have not deliberately focused on employee information protection standards start with an audit. First, establish what types of sensitive information is under your keep and how each type must be properly protected. Then, establish what levels of information security clearance different employees might need. It important in this step to distinguish clearance level from the “need to know.” For certain types of information protection, the proper posture may require hiring enduring full time teams, for example to uphold cyber security.
However, many of the risks associated with personnel InfoSec only requires clear policies and education to the workforce. While Manager A might be given some PII clearance level, for example, his “need to know” in that realm is likely only for certain PII related to people he oversees, and not for Manager B’s employees. If everyone understands these differences and upholds the associated standards in practice, the team experiences both improved InfoSec and organizational transparency thanks to crystal clear expectations. Manager A, B, and everyone understands what access they are allowed as part of their responsibilities and where the limits lie regarding their need to know… and that understanding does not impact their ability to do their job.
Assessing “need to know” against an ask is the easiest way to gauge whether an organization is truly protecting or just withholding. In the documentary, some employees gave accounts where they asked specific questions that were related to core aspects of how to do their job, yet were not answered under the claim of protecting secrets. While there may be plenty of information not everyone should be privy to depending on their role, put some faith in common sense: If your organization doesn’t think you have the “need to know” how to do your job, you should definitely run… or better yet, blow the whistle. There’s no excuse for employees to find themselves complicit in fraud, and the type of withholding that took place at Theranos (based on the film) is clearly not InfoSec, an invention, nor a jedi mind trick… its just the work of a confident bullsh** artist. No Slack! Stay frosty.
I’m very experienced in DoD related InfoSec programs, standards, etc, but haven’t seen programs as robust commercially. Do you have insight on effective corporate programs of this sort? Please share your insights!