Security's Everyman

Security's Everyman

Tuesday, February 06, 2007

Users continue to prove that security is about much more than technology. Many people talk about how it will take more than firewalls, AV, IDS/IPS, ACL's, and other technologies to secure our home PC's, our networks and the internet. As long as there are people using these resources then there will be security issues. Why? Because people continue to either ignore or not care about basic security.

There are at least 2 articles this week on major news sources that highlight this. The New York Times has a technology article here that talks about a paper (here) that is being written for the IEEE Symposium on Security and Privacy in May. The other is a InformationWeek article that talks about workers ignoring basic security principles. I'll let you read them yourself and you can read more on them here, here and here.

I've written before about the need for better Security Awareness Training and I'm working on some things that I hope will evolve into something that will help make this a reality. One of the things that I'm doing is networking with some others in the security world who also care about SAT and who want to do something about it. Now that I'm finished with my latest project I'll have more time to put into this and other things. These will involve not only what will hopefully be more interesting SAT programs, but also working with Management to change the culture within organizations to make Security Awareness part of every day and not just a once a year or so. As security issues make more headlines and as companies have to start taking responsibility for their actions or inaction's in regards to security SAT will have to take a more visible role in the company. This will open doors for those of us who want to make a difference to be able to introduce new concepts that can make a difference. I know that today compliance drives much of this, but I think that this will change. Doing a SAT program that just meets your compliance needs may work today, but in the future compliance won't drive this survival will.

I also believe that before we can really make a impact on the user community we have to make a impact on the IT community. There are too many people who work in IT who don't get security. The TJX breach and many others give us examples of this. End users won't take security at work seriously until those in IT do. So Security professionals have to work with all departments to ensure that security basics are understood and implemented. This isn't easy in many companies because each department likes to be self-sufficient and not questioned by others, but this has to stop or the bad guys will find a way in and will win.

In my opinion Security Awareness Training has to be a priority for companies. They have to look at all aspects of their business and figure out how users can make it less secure and then implement a plan to mitigate this risk and teach our users something that will help not only they company but also their homes and the Internet as a whole.

4 comments:

Anonymous said...

Check this out:

http://www.youtube.com/watch?v=yPDFbg3kbs8

NoticeBored said...

Hi Andy.

You're dead right on two key points:

1) Infosec is not a pure technology issue.

2) "Something must be done" to address the human factors.

Unfortunately, "something must be done" is about as far as most people in the profession ever get. The brave ones (like you) try to do stuff but, so often, their initiatives are not well thought out, lack managemnent support and funding, and after a razzamatazz launch event, they eventually just peter out.

It seems to me one of the biggest barriers to progress is that most companies still believe infosec is really IT security and is therefore something that the IT geeks should deal with. As a breed, IT geeks are not exactly renowned for their people skills and they naturally feel more comfortable with technology than with human beings.

One of the most passionate infosec awareness proponents I know trained in psychology and adult communications. She has a natural flair for putting complex techy issues in plain language and is comfortable talking to non-tech staff and managers as well as IT geeks. We need more people like her, which implies more university courses and training courses on human factors in security.

Lastly, I'd recommend Rebecca Herold's book "Managing an information security and privacy awareness and training program" to you and anyone else who has read this far. It's a fab book.

Kind regards,
Gary
NoticeBored

Andy, ITGuy said...

Gary,
Thanks for the comments. I agree IT "geeks" are poorly suited for this and we have to change management attitudes and IT attitudes before we can really make a difference. I'm working with a couple of different people on some ideas that we hope will really take off. I will check out Rebecca Herolds book. Thanks for the tip.

Michael said...

Thanks for your nice post!

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.