At the start of my career I remember a presentation from an IT security guru who, having taken us through all the latest developments in IT security, effectively concluded that people are the weakest link when it comes to security.
That is still the case today – but the difference now is that information technology is ubiquitous in everyday life, not just the preserve of a specialist few.The uptake of shopping, banking, socialising and playing in the digital universe suggests that for most people the benefits of convenience, availability and the social benefits outweigh the well-publicised risks of data and identity theft. Depending on your point of view, the amount of personal information shared on social media demonstrates either an alarming naivety or a very different, more tolerant, attitude to risk.
So what does this mean for the CISO? Those same people shopping, banking socialising and playing online work in your will be influenced by their personal experience and this will translate into how they try to improve their work experience – for example, using free tools from the web that make their job easier, more enjoyable and more convenient. Their focus is on the getting the job done rather than considering the potential leaks of information or avenues for attack that the security experts are concerned with. For some, the definition of the work itself has changed and it's hard to draw a line: a desire to improve your customer’s experience of your products and services may well be a justified business reason to investigate the world of online gaming, for example.
It's time for IT and the business to start collaborating on the topic of security, to avoid the polar extremes of unnecessary exposure to risk on the one hand or the business being stifled by a straitjacket of over-cautious security diktats on the other. A healthy tension may be created between being secure and enabling the business to work differently: and therein lies the opportunity for real creativity and innovation.
This means doing three things:
1. Develop a shared understanding of what the business wants to do and the associated risks and benefits.Collaborating on the security architecture willhelp develop and trace through that understanding, provided there is a business-friendly lens through which it can be viewed in addition to the security architect's lens.
2. Develop a meaningful , relevant and living security operating model. This means one that people can readily engage with on the basis of understandingwhy they should do things. "Compliance" should become "the way we work" rather than a matter of policing breaches of policy.
3. Education, education, education – ensure that all staff understand how the things they do as part of their own job can impact themselves and their organisation. This can range from the highly visible and dramatic - the CIO of US retailer Target being removed following the well-publicised loss of millions of their customer’s payment card details - to the more common, everyday scenario of line managers failing to initiate the leaver’s process for departing staff members promptly and not understanding the risk this creates.
Working together to transform that "weakest link" into one of the strongest of your defences should be a vital element of your overall strategy. Be prepared to embark upon a serious transformational journey that engages the organisation top-to-bottom and across every business function. And be aware that with changes in technology, in society, in business, in the environment, it’s a journey without a fixed destination but with many interesting stops along the way.