Re: Clintonemail.com: A Catuonary Call To Action
I very much agree with your overall takeaway here, Joe; communications-based security concerns (be they e-mail or otherwise) are a persistent, legitimate issue, and they aren't going away any time soon. If nothing else, the fact that the Secretary of State was, at some level, infracting on this is evidence that this goes up to the highest level possible - and that there's no doubt it affects everyone in-between. I do think the ramifications of this specific story are being inflated a bit by other, click-hungry publications (Gawker called it a 'secret' e-mail adress, haha) - it's worth noting that Mrs. Clinton already turned over all the e-mails from this account to public officials for review, and (according to herself) wants the public to see them. There's a lesson in there about tact and incident response (an important component) for CXOs, too. Nevertheless, we are talking about one of the highest offices in the world.
There's no shortage of issues here on the technical side (the need for a good MDM solution comes to mind), but I agree with your position that the non-technical is often just as or more relevant. Many security pros advocate mitigation and DR over prevention, and that seems relevant here. Whether willfully or accidentally, users are inevitably going to violate your policies. When you mentioned monitoring private e-mail, I couldn't help but think 'even if you did that, they would just give you a phony e-mail to monitor, and then use another one'. Expecting outside partners to adhere strictly to your policies also seems like a bridge too far outside of extremely sensitive industries (IE financial, gov't contractors) - after all, it's not like you'd want to adhere to theirs. I think it's more about finding a good fit and figuring out what's absolutely essential to you and what's an acceptable risk.