The recent Wikileaks breach continues to generate comment and opinion in both the mainstream press and the IT security-related media.  I came across this blog by Upasana Gupta recently at HealthcareInfoSecurity.com and believe that it made some excellent points about the lessons of Wikileaks, and the challenges that it presents for IT Security professionals and managers.

One key point made here is that controlling access, though critical, is not enough.  You obviously have to ensure that everyone has only the appropriate level of access that they need for their jobs, and that these entitlements are reviewed on a regular basis.  There will always be cases where someone needs access to sensitive information, but there are operations on that information that you need to prevent - such as emailing it, copying it to a private drive, etc.  In the case of Wikileaks (as we have noted in several blog postings), there were non-existent or ineffective controls both in terms of user access (he never should have had access to such a wide variety of sensitive documents) and information use (he never should have been allowed to communicate them externally).

A second important point is that the role of an effective security executive goes beyond establishing policies, creating controls, and monitoring their effectiveness.  This is critically important, but should not be viewed as the overarching goal of the organization.  The true goal of every security executive should be to "build and protect a [company's] reputation."  When all efforts are directed toward this goal, it should become easier to marshal support and adherence to policy from across the organization.