Most users consider IT security a nuisance, and that's an attitude that can render any security measure useless, says the man in charge of keeping NASA data systems safe.
Scott Santiago, information chief at NASA's IT security operation, says the key to the agency's security was to change the mindset of the people running the organisation.
NASA was surprisingly short on IT security until a couple of years ago. Speaking at a recent security conference in Auckland, Santiago says a large part of NASA's role has always been to disseminate information to the public but an audit in 2000 revealed that the organisation was complacent in terms of IT security. NASA got a hammering by the US Congress, though this ensured management buy-in for developing a business case for IT security, says Santiago.
NASA embarked on a process of risk assessment and defining IT security metrics. The idea of outsourcing was mooted as NASA had already outsourced most of its IT operations but Santiago fought the idea and retained it in-house.
Now each system has its own IT security plan and audits are carried out across NASA's 11 main centres each year. A vulnerability scan of every system is done once a month. NASA has listed the top 100 vulnerabilities of each system with the aim to reduce these.
NASA also fosters the practice of sharing information on security breaches.
"Everyone was afraid to talk about being hacked so there was no sharing of incident information. We needed to convince them that they needed to share and now we have a body to facilitate sharing."
But the key factor for success is to have buy-in from the users, says Santiago. "You have to make security an integral part of how they do their job."
To this end NASA has set up an IT security training programme which 100% of employees must do. "We had to overcome a negative attitude towards IT security. Scientists and researchers saw it as something which hampered their ability to get the job done. Their attitude was 'that's not my job it's yours'."
Santiago says the only way it works is if you have everyone participating. "We have to have constant communication with researchers emphasising the benefits."