The user is the weakest link. Really? Part 2

Publish date:

Let’s leave the somewhat depressing thought from my previous blog, that ICT people are the weakest link for what it is for now. Yes it might be true, as they’ve designed, developed and maintained ICT that combines badly with known vulnerable human behaviour. Let’s go one step further and determine how expected human behaviour can […]

Let’s leave the somewhat depressing thought from my previous blog, that ICT people are the weakest link for what it is for now. Yes it might be true, as they’ve designed, developed and maintained ICT that combines badly with known vulnerable human behaviour. Let’s go one step further and determine how expected human behaviour can be used for the best, even with inherently insecure ICT.
 
A few weeks ago I was talking about information security with a CEO of a large services provider. He had done the well known sort of risk assessment workshop with his accountant and might have done some awareness activity, but information security was not very much on the management radar even if there were some crown jewels to protect. Employees were not very concerned either. The CEO on the other hand somewhat fondly observed that the folks in his organization were really entrepreneurial and focused on action. Managing risks is not really on their minds though and that concerned him a little.
 
Although the main course of action in such cases could be raising awareness with a solid communications campaign and perhaps training, we ventured into a different area. Why not take that strong and internal incentive of the employees as guiding principle? They want to work hard, anywhere, anytime. That means new devices on the network everyday, working remote and so on. Why not combine the need to work anywhere, with any device, with subtle ‘ blockades’ and ‘funnels’ that force employees to adopt secure behaviour.
 
Yes you can work on the company network with your smart phone, but only with the right certificates and a VPN connection that will only connect if you’ve got an up to date virus scanner. A small example perhaps (and not complete), but technology in itself offers a lot of possibilities to subtly lure people into secure behaviour or steer them away from insecure actions.
 
For other organizations with different cultures than the services provider described, other incentives might work better. The military for instance probably gain much more than most other organizations from clear and communicated regulations.
 
I therefore believe that we can gain a lot of ground as information security discipline, if we take organizational culture and human behaviour into account. Change management and the way other support functions in organizations work with the business can be inspiring. There’s still a lot to learn for us in infosec!

Related Posts

Digital Transformation

If only the hospital shift roster would write itself

Matthew Cooke
Date icon February 21, 2019

Digital solutions should be about making life easier for staff and more efficient for the...

Cybersecurity

The top three challenges in securing public sector digital services

Sandeep Kumar
Date icon February 21, 2019

The public sector faces a unique set of challenges due to its organizational setup and the...

insurance

Delivering customer delight in a critical moment of truth

Kiran Boosam
Date icon February 20, 2019

Digitizing the First Notice of Loss to deliver customer delight in a critical moment of truth...

cookies.

By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.

Close

Close cookie information