Home Depot Looks At The Psychology Of SecurityHome Depot Looks At The Psychology Of Security

In implementing network security, which three-quarters of respondents to information Research's Priorities study identify as a top concern, business-technology executives are at a built-in disadvantage. They have to look for every weakness in their networks, but the bad guys only have to find one.

The problem isn't technology, but psychology, says John Hartmann, senior director of IT at Home Depot and a former FBI agent. "Technology generally doesn't fail. If someone has crafted a new virus or worm that can evade detection, that's a human issue."

Not that he doesn't advocate the use of technology. Network segmentation, firewalls, and virus-detection systems are integral components of an information-protection system. Most important, though, is access control. Few security breaches are high tech in origin; most can be traced to inadequate policies, screening, and training.

All industries, not just regulated ones like financial services and health care, have incentives to beef up information security. Home Depot is subject to Sarbanes-Oxley and HIPAA security provisions, Hartmann says.

Hartmann advises companies to open their information-protection procedures to scrutiny by outside experts. "Self-assessment is critical," he says. Any reasonable information-protection process would include validation by an outside trusted partner, he adds. Home Depot has developed relationships with a handful of outside parties, who provide assistance with analysis of framework and tool selection.

Return to main story, Projects With Purpose