being ornery about the corporate ethics compass and security training

A Canadian article discussed the results of an IT security survey. A couple blurbs caught my attention.

According to the 2006 Global State of Information Security survey, 53 per cent of Canadian companies surveyed said their reputation was driving their information security spending. The global average was 41 per cent.
“Poor information security that loses data such as customer profiles can seriously affect a company’s brand,” says Greg Murray of PricewaterhouseCoopers. “The cost of handling the public relations issues associated with losing customer identities can be devastating.”

Now, while companies are economic entities, and realistically, this may be the real deal honest truth when execs look at IT security and the effects, I can’t help but think of how unethical this attitude seems to be. So, in the absence of a government forcing disclosure of losses, these companies would not divulge the information. In addition, if customers do not care or the company would not be affected financially, they wouldn’t disclose it. That attitude is also degrading to security/IT staff for those companies. “I only do good just because it helps me avoid getting into trouble.” It’s a classic example of negative reinforcement. I would prefer that we didn’t need that reinforcement and that the actions were done ethically due to the company just being that way. But that may be way too idealistic of me to expect… (Then again, avoiding negligence issues can also be the same way, so maybe I’m being nitpicky on something I really should not be…quite likely in fact, so I will strike this whole paragraph, but leave it for future reference by me.)

Mr. Murray was surprised to find that 61 per cent of Canadian respondents surveyed have limited or no security training for the end-users of technology – their employees.

Training is a fun debate and can go both ways. Fundamental training should be necessary for employees. I’ve known way too many people who truly didn’t know something like surfing web pages willy-nilly was bad, and they were genuinely receptive to the information. Some of whom may even have changed their behaviors due to the new knowledge. But much like teenage pregnancy and drug use and various crimes, you can only inform the “general public” so much. Security will not become suddenly solid when all users are given excessive amounts of training in the workplace. I mean, if that were possible, perhaps we could have had a much different president these past 6 years if we had just informed the US public more? 😉