That’s a lovely story. Developer of a security software for the national infrastructure (US) outsourced his job to China. Without his bosses knowing. How? He just FedEx-ed his two-factor authentication token, thus allowing world+dog access to the top secret code. So true. So expected.
That’s not as unusual as one may think. Some years ago we did a research on people’s attitude towards ‘chip and pin’ payment cards (among other things). It revealed that for some handing out card and PIN to a member of family is just a matter of convenience, not of any security concern.
Of course people always flaunted policies. However, this time there is simply too much at stake to assume that policies protect us. Which means that if you manage security, you have to look much further than just your set of policies. That you should trace all the possible dependencies that truly shape your security.
Trust Governance delivers a tool to do it systematically. It is called TraCoDA. You can be shallow or you can go deep, but you always know where you are and how much you have covered. The trick? Do not ask questions about security. Do not assess risk. Discuss trust. You will see how far it can get you.