Securing the Unofficial Organization

It was only a minor annoyance. My health club uses the member’s club ID card to activate the locks on the locker room lockers. I had neglected to collect my card from the locking device after leaving the gym last week, and explained my dilemma to the...

When you’re managing security, the unofficial organization may be a blessing, but it’s always guaranteed to be a curse. Employees and customers will leverage the unofficial organization to make their interactions more efficient, and that often means bypassing security enforcement controls you have implemented to protect organizational resources. The unofficial organization may be allowing unauthorized people into sensitive areas. They may be sending confidential information out through Web-based e-mail clients to avoid firewall and e-mail controls. They may be using communication paths and technology tools you cannot monitor or manage. In order to be an effective security leader, you need to understand how the unofficial organization works, and how you can provide protection of valuable resources knowing those personal friends and special relationships will always flourish.

John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: