How can business ensure security technologies are
aligned with work processes so that it is easy for end-users to do
the right thing and not circumvent controls?
Many organisations still fall into the trap of selecting a
security technology and then attempting to retro-fit a process
around it. Often the resulting process is clumsy, encouraging users
to make short cuts, or to simply perform tasks in a roundabout way.
So, instead, reassess the problem in hand, design a new process and
once that is right the appropriate security technologies should be
easier to identify.
After choosing a technology, implement carefully. Testing, and
more specifically, piloting is key to acceptance of security
functionality among the user community. Lab testing, testing that
is confined to the team developing the solution, or testing
squeezed at the end of an over-running project will most likely
prove inadequate. Instead, focus on the real-world users during
testing or piloting of a proposed solution. So get the users to
help you; for example, one ISF Member has identified a pool of
about 100 users spread across the business who receive security
patches and updates before other users. If no problems or issues
are reported, the change or update is then rolled out generally
across the business.
Then, do not forget training, and use it to focus on the process
as well as the technology. Get senior members of the organisation
to actively and visibly show their support by training alongside
other users. Remember to include security awareness training, and
make it real for the user. Most will use the internet at home for
banking, or have children accessing the net - placing good
practices into this alternative context will help your users be
secure at work too.
Finally, make sure the process is monitored and fine tuned, and
does not just fade away after implementation. Do not be afraid to
enforce compliance if necessary, and be ready to respond to changes
in the business that demand a change or refresh to the process.
Remember, you may get the chance to fundamentally alter the way
that systems are secured only every five or ten years, so make it
count.
Gary Wood is a research consultant at the Information
Security Forum
Read more expert advice from the Computer Weekly Security Think
Tank >>