Computer Security Violations: When to Punish and Who Should Do It?

"Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government," stated [DHS CISO Paul] Beckman.

I don’t think you will find anyone in computer security who would argue against the need for more personal accountability when it comes to security policy violations, yet the idea that someone in a computer security role should hold sway over whether someone is punished is one that even this (relative) gray beard has a hard time accepting.

To a certain extent the CISO of DHS is right: a security clearance is a privilege and one of the requirements of maintaining a clearance is the demonstrated ability to know what to do and what not to do when it comes to protecting information. Falling victim to phishing scams/tests on a regular basis is one of those things that falls into the category of “what not to do.”

However, if you lined up 100 random employees from any random agency, 95 of them have clicked on a link in a phishing email at some point in their careers, four haven’t because they drive a forklift and don’t use a computer at work, and the other one just started today and hasn’t received his logon yet.

I think both operations people and security people can agree that if someone received regular security training and yet is still a PERPETUAL source of pwnage in the enterprise, that person is making questionable decisions. In the world of security clearances it should be the personnel security organization and their adjudication branch that determines if one should retain access to classified information, not a CISO (who if given their druthers would delete all user accounts because if it weren’t for users….). For those who don’t understand the impact of losing a security clearance let me be clear: you take away someone’s clearance you’re taking away their job now and their employability in the national security arena forever.

As I’ve mentioned before, if you don’t have a solid computer security training program in place, as well as a corresponding schedule of corrective and adverse actions, you are setting people up to fail. There should also be a corresponding program of recognition and rewards for people who display the right behavior and exercise sound judgement in the face of a security challenge. Employees should understand that the security team stocks carrots as well as sticks.

At the executive levels and in HR there also has to be a shift in perception regarding security violations. Computer security violations are not second-class offenses just because ‘its only cyber.’ If you would punish an employee for violating a safety or security policy in meat-space you should treat cyberspace violations just the same, especially given the fact that a computer security violation could have much wider and deeper repercussions for the enterprise.

There is a time and place for the iron fist of discipline, but it should come AFTER employees have been given the tools and training to know what to do in a given circumstance, and it should come after lesser forms of corrective action are taken. Good people are hard to find, and no organization likes to fire people willy-nilly, but its 2015 and no one can afford to treat computer security violations cavalierly if they expect to be around in 2016.