Security Policy, Leadership, and Training A retired Japanese Coast Guard boat (Takachiho) was sold to a pro-North Korean organization without having assurances that navigational data was deleted. The decommissioned patrol boat could have had as many as 6,000 locations recorded over 250 days of use.25 The vessel was presumably sold to be turned into scrap. Weapons and radio equipment were removed, but no procedures were in place to ensure that navigational data were securely deleted. In fact, there are no secure data deletion procedures in place for naval vessels prior to disposal. It is unknown if navigational data were recovered from vessels disposed of through past sales.26 The loss of Japanese military data to North Korea may be a serious security breach. This is especially troubling during times of heightened tensions between the two countries. Secure disposal policies will likely be applied to all craft, systems, and technology in the name of national security. This case points out the importance of periodically reviewing security policies and procedures. Past Japanese navy boats may have been unable to store any navigational data. Newer naval boats may have systems that can store a lifetime of detailed information. The same may be true of cell phones, ground vehicles, photo copiers, and so on. Security policies must change with advances in technology. PricewaterhouseCoopers (PwC) 2013 Global State of Information Security Survey collected more than 9,300 responses from “9,300 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from 128 countries.” The following are a few of the key findings from their annual report.27 A Game of Confidence: Organizations Assess Their Security Practices

1. Good self-assessments continue this year, with a substantial number of respondents saying their organizations exhibit the attributes of information security leaders.

2. Confidence runs deep. Most respondents believe their organizations have instilled effective information security behaviors into organizational culture. A Game of Risk: The Decline of Capabilities Over Time

1. The economic environment ranks first among the multiple factors shaping security budgets, with information security concerns lying far down the list.

2. There has been a long-term decline in the use of some basic information security detection technologies. That’s like playing a championship game with amateur sports equipment.

3. Organizations are pruning their rulebooks, with some once-familiar elements of information security policies becoming less common.

4. Safeguarding information is easier when you know where that information is. But organizations are keeping looser tabs on their data now than they did in years past.

5. As mobile devices, social media, and the cloud become commonplace both inside and outside the enterprise, technology adoption is moving faster than security. It’s How You Play the Game: Alignment, Leadership, and Training Are Key

1. A focus on business success should inform all aspects of the organization’s activities. Most respondents say security strategies and security spending are aligned with business goals.

2. An effective coach is key to a winning team. Respondents say executives still have work to do in demonstrating their leadership in security strategy. Security leaders, meanwhile, still lack adequate access to the executive suite.

3. People who don’t know how to do things rarely do them well, which makes the lack of staff and resources available for security training a significant problem.

Case Discussion Questions

1. Why was the navigational data on the Japanese Coast Guard vessel not securely deleted?

2. How can secure disposal policies aid in effective disposal of naval vessels?

3. How could the Japanese Coast Guard write an effective data disposal policy?

4. What kind of information security behavior needs to be instilled into an organization’s culture to effectively implement information security systems?

5. Discuss the areas where firms lack in their capabilities to manage information security?

6. How can effective leadership play an important role in devising and implementing security strategy?