He just don't get it
The story the other day about the VA (Veteran's Administration) worker who took a data file home with him that had the info on all 26,000,000 U.S. veterans got a little worse in my mind yesterday when the agency's director, Jim Nicholson, came up with a pretty good excuse for why an employee could walk out of the door with a laptop with unencrypted sensitive data on it.
"I'm so damn mad at the loss of veterans' data and the fact that one person can put all of us at risk," said Nicholson, an Army veteran who served in Vietnam. "I can't explain these lapses in judgment on the part of my people. . . . After the inspector general finishes his investigation and finds exactly what happened, I plan to take decisive actions. "
Whew. At least we know who to blame.
Doesn't anyone in this administration get this yet? if the security of an entire class of the U.S. population depends on reasonably careful behavior on the part of a single employee out of an agency with tens of thousands of workers, then from a security perspective, we as a nation are screwed.
Nicholson is going to start having employees go to a cybersecurity class. That conjures up an image of a bunch of pregnant women sitting at desks learning about sex-ed.
Security has to be organizational as well as individual. I think that an appropriate background in information security should be as much a requirement for these appointees as management or financial experience. Some things have to be understand at the top and not delegated and I'm afraid that this is one of them.
Posted on May 26, 2006
