How can business ensure security technologies are
aligned with work processes so that it is easy for end-users to do
the right thing and not circumvent controls?
Unfortunately the accountability of the user is yet to be well
understood, which leads to error or justified flouting of the
rules, often with management support, in order to get a job done.
This presents a colossal task for the security manager to ensure
employees understand the whys and wherefores of what is being asked
of them. Increasingly, common practices, such as defining generic
responsibilities within employment contracts, and awareness
programs delivered via the intranet are needed, but are not
adequate. Training should be developed to ensure skills are present
where they are required, while eEducation and awareness should aim
to empower all stakeholders to make informed decisions and become
motivated for their own benefit. Still, such efforts only reflect
the perspective of the controller, leaving the controlled
unheard.
Perhaps it is time that the awareness exercise is turned on its
head, with security and business managers setting and enforcing
controls based on an understanding of what the user requires,
rather than forcing requirements on the user. The good news is that
there is an effort underway that will inherently begin shifting
focus to user behaviour. Once high profile data breaches started
making general news, organisations began to assess what their data
is doing, as well as where it sits, where it goes and how it moves
and what it is used for. In other words, they began to assess what
their users are doing. This exercise should build up a richer
context for information security strategy and lead to that
ubiquitous accountability that the information security department
has been trying to get the entire organisation to accept. Policy
will be supported by workable business processes, reflecting
individual functions that put employees in a position to respect
rather than flout it. Security controls will no longer need to be
ignored in the name of saving money or getting work done, because
it will be clear that one size cannot fit all. Employees will be
able to grow to understand how risks apply to their role and
anticipate them as they get on with their daily tasks. Electronic
data protection will become as instinctive as locking the desk
drawer at night.
John Colley is EMEA managing director at (ISC)2
Read more expert advice from the Computer Weekly Security Think
Tank >>