Trust is very important to successful business.  Trust is a result of validated reliance upon another person or entity.

Trust is NOT a control.

I just made a posting to my other blog, "Risks & Compliance: Giving Personnel Access to Their Own, And Coworkers', Records is Generally a Bad Idea."

The gist of the post is that allowing employees, who are also customers or patients of their own employer, access to their own customer/patient records is usually a bad idea.  And allowing employees access to their coworkers', who are also customers/patients, records is most certainly a bad idea.

I explain why in the blog post.  If you read it, please let me know your feedback.

Over the years I have heard probably well over a hundred times from business leaders that they trust their employees...that they want their employees to know that trust them...and so they do not want to establish any controls, such as access restrictions or monitoring, that may communicate to their employees that they do not trust them.  If they trust their employees they state they do not need controls.

Not only is this a dangerous attitude to take considering a large amount of information security incidents and privacy breaches are the result of employee actions, it is also, quite bluntly, a very dumb belief!

Trust is NOT a control.

1. An age-old truth is that all humans...ALL...make mistakes. 

Organizations must implement controls to help prevent employee mistakes, and mitigate the mistakes that do occur.

2. An age-old truth is that all humans...ALL..will unknowingly do bad things if they have not received the effective training and awareness communications to ensure they perform their job responsibilities in a secure and privacy-preserving manner.

Organizations must implement controls, including effective training and awareness, to help prevent employee ignorance from compromising the security and privacy of personally identifiable information (PII) and other sensitive information assets.

3. An age-old truth is that all humans...ALL...will do malicious actions out of desperation, if their well-being (such as financial stability) is threatened, or if they have the OPPORTUNITY to do bad things and they think they will not get caught.

Organizations must implement controls to keep employees from intentionally doing bad things.

Trust is NOT a control that addresses these human issues.

In addition to these three basic reasons for businesses to implement controls, there is also the compelling legal compliance reason.  Business leaders throughout the world must implement information security and privacy controls to be in compliance with a growing number of multi-national data protection laws.  Trust is not listed in *ANY* of those laws as an acceptable control.

Good employees will understand the reasons for controls if good business leaders clearly explain it to them through effective training and awareness communications, along with well documented policies and procedures.  You cannot validate reliance upon your employees to appropriately and adequately safeguard information assets without having controls in place.

Smart business leaders must understand that trust is NOT a control.

Be smart!

No votes yet