A very old idea in business is the concept of “management by walking around” (MBWA). If I recall correctly, the founders of Hewlett-Packard, Dave Packard and Bill Hewlett, created this concept to define an active strategic management style that required active information gathering and active problem solving – primarily by encouraging direct contact between senior management and key employees, customers, and suppliers.
A recent incident brought this concept to mind in relation to information security. We had negotiated an agreement in which a business would outsource certain key back-office operations to an offshore vendor. The vendor would have possession of the business’ most sensitive trade secret and customer information. As you would expect, the contract included significant detail concerning the information security measures the vendor was expected to maintain. One such measure was the installation of perimeter security cameras at the vendor’s facility. The vendor confirmed all such measures were in place, including the positioning of the security cameras.
As part of post-contract monitoring, a team from the business was dispatched to confirm the vendor had properly implemented the required security measures. Sure enough, when they arrived at the facility, they found the cameras strategically positioned to provide full coverage of the exterior of the facility. The problem, however, was that they discovered the cameras were not actually connected to any monitoring equipment. The wiring terminated at the base of the posts on which the cameras were located. The vendor had installed the required cameras. They just hadn’t connected them to anything.
While this is a somewhat extreme, almost comical, circumstance, it highlights the importance of doing a little “security by walking around” (SBWA). Having a well written, fully fleshed-out contract is certainly important, but following up with some SBWA can ensure the vendor actually understands its obligations and has properly implemented them. SBWA can also assist businesses in establishing they have acted reasonably in ensuring the data they have entrusted to others is being properly protected.
