Let’s leave the somewhat depressing thought from my previous blog, that ICT people are the weakest link for what it is for now. Yes it might be true, as they’ve designed, developed and maintained ICT that combines badly with known vulnerable human behaviour. Let’s go one step further and determine how expected human behaviour can be used for the best, even with inherently insecure ICT.
A few weeks ago I was talking about information security with a CEO of a large services provider. He had done the well known sort of risk assessment workshop with his accountant and might have done some awareness activity, but information security was not very much on the management radar even if there were some crown jewels to protect. Employees were not very concerned either. The CEO on the other hand somewhat fondly observed that the folks in his organization were really entrepreneurial and focused on action. Managing risks is not really on their minds though and that concerned him a little.
Although the main course of action in such cases could be raising awareness with a solid communications campaign and perhaps training, we ventured into a different area. Why not take that strong and internal incentive of the employees as guiding principle? They want to work hard, anywhere, anytime. That means new devices on the network everyday, working remote and so on. Why not combine the need to work anywhere, with any device, with subtle ‘ blockades’ and ‘funnels’ that force employees to adopt secure behaviour.
Yes you can work on the company network with your smart phone, but only with the right certificates and a VPN connection that will only connect if you’ve got an up to date virus scanner. A small example perhaps (and not complete), but technology in itself offers a lot of possibilities to subtly lure people into secure behaviour or steer them away from insecure actions.
For other organizations with different cultures than the services provider described, other incentives might work better. The military for instance probably gain much more than most other organizations from clear and communicated regulations.
I therefore believe that we can gain a lot of ground as information security discipline, if we take organizational culture and human behaviour into account. Change management and the way other support functions in organizations work with the business can be inspiring. There’s still a lot to learn for us in infosec!