Become an IT security guru in 10 steps

Become a legal IT security expert doesn’t need a lot of effort and, with the due care, you can build your legend in a short time-frame following ten easy steps:

  1. learn the lingo (security is a process, not a product; don’t use simply-to-guess password, is your company ISO-27000-1 compliant? and so on),
  2. give yourself an “authoritative” demeanor and look (always talk in a “visionary” way, making people feel like they still live in the stone age) and dress accordingly,
  3. Talk legalese with techies, technical with lawyers,
  4. attend (possibly) international IT technical, legal/management conferences and try to get as much pictures as possible of you with reputable people although they don’t know you, and regularly update your facebook/google+/blog with those pictures,
  5. try to give a speech at some university students association, so you can claim to be an “invited speaker” at the university (without mentioning the name, of course),
  6. create your own “digital-something organization”, become its chairman (and sole member, BTW) and champion for digital human rights,
  7. flood the newspapers with press-releases that will be regularly ignored until some journalist that is out of time to finish an article stumbles upon your statement, thus promoting you at the level of “source”
  8. try to catch-up with some low-level civil servant involved in trivial stuff related to the trade, give him some vapourware hint that makes him look smart at work, and use him as a source of petty-information that let you look like you’re part of the “inner circle”,
  9. try to have as much as possible Linkedin connection,
  10. get the European Computer Driving License (at least, you must know how to switch on a computer to work in this field, don’t you?)

By following these steps you start a loop where your legend become more and more solid up to a moment when you will be considered a “guru” and nobody will ever check your actual background.

And don’t worry, if you ever get a client, as soon as you stay stick to these ten commandments you’re safe: nobody will ever challenge the outcome (if any) of your work, because nobody will ever admit to having being fooled into hiring a fake…

The Fake Data Processor and The True Criminal Liability

Under Legislative Decree 196/03 (the Italian enforcement of the Data Protection Directive) one of the most common practice when developing the data-protection corporate policy of a company is to appoint the heads of the various departments as “Data Processor”.

Although easy on the short term, this solution might backfire the company itself. A recent Corte di cassazione (Italian Supreme Court) decision –  III penal section – Dec. n.20682/14 – ruled that under the workplace safety regulation, the employer that appoints a safety manager who is not fit for the job because of his lack of competence,  commits a criminal offense.

The very same principle can be applied by analogy to the Data Protection Directive. The DPD – and its Italian enforcement – make mandatory to appoint a data controller actually fit for the job.

By choosing people on different basis (not because they know the matters, but just because they’re company’s heads) means that in case of data-protection-related criminal offenses the data controller (and, most important, the prosecutor and the court) can’t blame (only) the data processor itself.

Then, in terms of management, the decision is between only formally comply with the legal requirements, and actually comply by appointing capable data processors.

In the first case the company is accepting the risk of a future (but uncertain both in “if” and “when”) accident but saves on the short term effort and time.

In the second case the company spends more, has to possibly change its internal processes in the anticipation of an event that might not happens at all.

How to poison 700.000 people and live happy with it. A case study in crisis management

According the Italian National Institute of Health, about 700.000 resident of an Italian Region, Abruzzi, have been exposed to water polluted by an abusive chemical waste storage that the national newspaper Repubblica labeled as the biggest in Europe. Although the existence of the wastes was widely known since 1972, only in 2007 the public prosecution service started an investigation and now the criminal trial is likely to end in nothing. The statutory term that set the maximum duration of this trial is going to expire and then the court couldn’t be able to actually indict the responsible.

Apart from the legal issues, it is interesting to look at this incident from crisis management perspective.

Though the big corporation involved into the scandal and now tried in court have surely steamed up their spin doctors to properly handle the damage control, it can’t be said so about the local politicians reacted.

Whatever book you get on the topic advises you to check the facts, be transparent with the media, don’t hide things under the carpet, tell what you know, what you don’t know and what you’re going to do to fix the problem, protect your credibility and so on. But in this case, all of these suggestion haven’t been followed. Neither the longstanding politicians who occupied the core seats during the last forty years  nor the law enforcement accounted for their lack of control, and when the media started inquiring the main reaction has been to let the bucks slip on somebody else’s shoulders, releasing vague and contradictory statements and avoiding to talk about the hot topic.

From a general crisis management theory point of view, the way the “stakeholders” handled this scandal can be qualified – to be gentle – as grossly amateurish, but a reality-check shows that the lack of enforcement of a crisis management plan didn’t affect the career of the most part of the involved people, some of those are now even running for a new term in the upcoming elections or still seating on their (power) chairs.

A possible explanation of this status quo is the lack of pressure from the information professionals. The local and national media failed to pitch high the facts so to ignite a burst of durable public outcry and protest. Far from the public scrutiny, the involved people fell into a convenient oblivion and didn’t feel compelled to devise a properly arranged defensive strategy.

Once again, this story shows that Information is Power.

There is no such thing as “Information Security”

Security is Security. Period. No matter whether you’re designing a network, traveling around some third world country or assessing the pollution of the food you’re going to eat: security prowess comes from the confrontation of danger(s).

There is something different in people who’s been exposed to dangers of every sort (soldiers, firefighters, ER personnel) and those who don’t: the former knows what they’re talking about, the latter don’t. You can read it in their eyes, demeanor and down-to-earth approach, contrary to the pompous, empty style of somebody who can’t even handle spending half an hour on Barcelona’s Las Ramblas without being pickpocketed.

Think about it, the next time a “security” consultant tells you that “you have a security problem” and that “he can fix it”.

On Death and Corporate Culture

Giancarlo Livraghi, who passed awat last Feb. 22, is not only one of the Fathers of the Italian Internet and a civil rights advocate. He is one of the most influential player of the international advertising business.From 1980 to 1993, until he retired to focus himself on the cultural implication of the (then) newborn Internet, he founded and directed the Livraghi, Ogilvy&Mather, now just Ogilvy Italia.

The sad news made a fast round in the advertising community, but neither the Ogilvy corporate site nor the Italian spent a single word to say “good-bye” to one of its top men ever (at least: I thoroughly looked for, and found nothing, even through Google.) This fact reinforced a disturbing belief I’ve developed interacting with the US-based management style: when you’re gone, you’re gone, no matter how good you did for the company. After all, a human being is just a “resource”.

Then compare this approach to the management style of Adriano Olivetti. True, Olivetti  – the company that, before Richard Stallman, invented the powerful concept of Open System Architecture – is no more than a vague name in the ICT business. But its management style is still an unsurpassed way to make people work together.