Recently in Managing the Human Dimension Category

I'm just back from a week in the Far East where I was opening the 13th Info-Security Project Conference in Hong Kong. It's a couple of years since I last spoken at this conference so it was interesting to observe the trends and progress in the region.

This year's conference was longer and well attended. Key themes included infrastructure, consumerization and mobility. There's no doubt that bring-your-own-device is this year's hot topic though it's been creeping up for a while. Cloud security is also a hot topic.

I left with an impression that this region is learning fast. Discussions with local security managers revealed a high level of maturity, as well as a healthy degree of openness to new ideas and change. Unlike the US and Europe, compliance has yet to blunt the enthusiasm of security managers.  

Of course there's little new under the sun. You see the same techniques and technologies in action but often with a regional twist. One leading company I spoke to, for example, had implemented risk assessment with anonymous voting, rather than open discussion, to avoid staff being unduly influenced from the views of their bosses.

The thing I found most fascinating however is to observe how networking varies around the world. In the US, breakfast meetings work best. In London it's dinner or perhaps after-work drinks. But Hong Kong remains one of the last bastions of the business lunch.  

Death by a thousand facts is the title of a recently published academic paper by Geordie Stewart and me. It sets out to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.

Awareness programmes should not simply broadcast facts to an audience in the hope that behaviour might improve. They can be substantially improved with a little analysis and an understanding of the learning points from more mature fields such as safety.  

It's an excellent paper though I have to admit it's largely Geordie's work. He has an excellent knowledge of the application of psychology to analyse and solve security problems in industry. Unfortunately you have to buy it to read it.  

I used to think that Bruce Schneier was out of touch with industry CISOs, but now I think that they are out of touch with him. He's come on tremendously in recent years. I saw him present to the United Nations last year and he was awesome, reflecting a lot of research and deep thinking about important issues such as trust, risk, surveillance and cyber warfare.  

I shall be ordering a copy of his new book "Liars and Outliers". It's about trust, a subject I find both relevant and fascinating. Trust is a phenomenon that few security researchers seem to understand. The problem is that it's a means to an end, and makes little sense when studied in isolation from its purpose.

The nature of trust is also changing as we move from an industrial-age dominated business landscape to the information age.  I find this paradigm shift is neatly captured by two Russian proverbs. The first, ascribed to both Stalin and Lenin, is "Trust is good, control is better", which encapsulates industrial-age thinking for vertically integrated enterprises and societies. The second, made famous by Ronald Reagan, is "Trust, but verify", which reflects our best endeavours for managing situations in a modern, diverse supply chain that is increasingly beyond our direct control.   

Information security practitioners have long been poor at developing awareness materials. Partly this is because misguided governance systems focus on legalistic policies and procedures that no one ever reads. (When was the last time you read an instruction manual?) It's also because security professionals are not trained in the art of designing effective communications materials. We need to tackle both of these weaknesses.

Unfortunately, the growing wave of regulatory compliance means that there is little prospect of the governance side being improved, as established security standards are rooted in an outdated, paper-based, quality model, designed more for churning out identical widgets rather than inspiring people to safeguard intellectual assets.  

Progress with the human aspects is likely to be show more promise. At least the problem is  recognised, though the interventions leave much to be desired. (The UK strategy appears to be to leave everything to a single underfunded web site, Get Safe Online.)

On the bright side, however, more and more academic courses are including human factor considerations. It's a big subject and expertise is thin on the ground. Lessons can however be learnt from other fields. Safety is one. A good place to start is to study the art of designing road signs. The BBC News website has an interesting feature on this, which makes some excellent points.

It also raises the obvious question of why we don't have universally recognised warning signs for information security risks. Now that would be a good idea, though it's unlikely to be taken up by a community that believes that hundreds of pages of policy guidance are the answer.  

Postscript:

Many thanks to Andrew Yeomans for pointing out there is an excellent example of the use of warning signs in the SPIDER project by Pete Burnap, Jeremy Hilton and Anas Tawileh.

I spend a good deal of my time travelling around the world giving lectures and helping companies with consultancy. Last week I was in Amsterdam, the week before in Norway, and tomorrow I'm off to sunny Cyprus.

It's refreshing to interact with security professionals in other regions, as there are marked differences in attitudes, interests and priorities. There are many reasons for this, such as the influence of culture, economic outlook and the level of security maturity.

Local culture influences the level of understanding of human factors, as well as the nature of trust and loyalty. Economic outlook shapes business priorities and budgets. And the level of security maturity, amongst other things, determines the vintage of available solution.

Innovation and openness to new ideas also varies tremendously. London, for example, is a classic example of a well-organised information security community paralysed by Groupthink. There is too much socialising and job rotation to allow room for free thinking. I regularly raise eyebrows by challenging existing assumptions. In contrast, new thoughts and solutions are welcomed in continental countries that enjoy debate and tolerate mavericks. Travel further east however, and a herd mentality begins to set in, though for a different set of reasons.

Security technology has always been popular in the US and the Far East, much less so in Europe. Continental Europe prefers to focus on people and processes. The UK is the home of bureaucracy and exports it aggressively. ISO 27000 is popular in Commonwealth countries but is frequently despised outside. Unfortunately, it is beginning to catch in cultures where staff pay little attention to policies and procedures.

Wherever you go, however, it's compliance that's the primary driver for security. Paperwork has assumed centre stage, as it ticks all the boxes and can be copied and implemented at little cost. In contrast, real security can only be achieved by careful attention to people and thoughtful use of technology. The most important asset for the future, however, is smart improvisation and innovation, and unfortunately that's thin on the ground across all corners of the globe.

I was contacted last week by a company that specialises in harnessing influence. They claimed to be working for a top IT security solutions vendor and had identified me as a key "influencer" in the UK. They wanted me to answer a set of questions but refused to say who the client was and offered no references or incentives. Not surprisingly I turned them down - another case of the Cobbler's Children, where the influence peddlers are themselves lacking in influence.

But it set me thinking about who actually sets the agenda for security in Today's world. It's an interesting question, because the answers are not immediately obvious. Certainly the influence is not where you might expect it to be.

Analysts such as Gartner and Forrester have our ears, but they operate by repeating back what clients and customers tell them. They are primarily as a decision support tool, rather than a decision making one. The same goes for consultants, who are essentially overpriced sounding boards.

Academics could be highly influential but today's crop is short on ideas and prefers to ape the not-so-best practices of industry. Some new university courses are now focusing more on universal business skills, such as how to present a business case, rather than real security competences, such as how to secure an infrastructure.

Regulators are in a perfect position to set the agenda but they cannot be seen to be tilting the playing field, so they usually end up falling back on bland principles and universally agreed standards. You get the occasional exception, such as PCI DSS, but it's generally the result of a standard developed by experts rather than regulators.

Vendors should be setting the scene, but innovative technologists are very much in the minority, and most established firms are run by commercial managers seeking to squeeze every last penny from their cash cows. Meanwhile their PR companies dish out bland press releases which few people read as they are primarily designed to stroke the egos of their masters.

That leaves governments and journalists. The former are a mixed bag: of politicians who pursue fame and publicity supported by civil servants who prefer consensus. The latter are also divided: into loyal scribes who support their sponsors, and trouble makers who are looking for a good story.

So it's no surprise to find politicians and bloggers featuring strongly in SYS-CON's list of the "Most Powerful Voices in Security". The top three are Darrell Issa, US Representative for California's 49^th congressional district, William Lynn III, Deputy Secretary of Defense, and Bruce Schneier. I made it to 51 on the list, though my friends tell me that's because I have a loud voice that's difficult to shut up.  

This week's Infosecurity Europe seemed quieter than usual. It was no surprise of course as it bordered on the Easter holiday. But it was a good event, made enjoyable and interesting by a well-designed exhibition hall and the presence of many top CISOs and security personalities. It's an event that relies far too much, however, on legacy experience rather than innovation. That's not really good enough. In today's fast-moving environment, we should be aiming to stretch the boundaries, rather than repeat well-worn debates.

Certainly the education programme could have been more imaginative. It did not really live up the theme of "foresight". The acoustics in many of the theatres should also have been much better. But such is the power of the brand and the appeal of the subject area, that it was well sponsored and well attended. You could, in fact, learn a lot simply by talking to the people on the stands or in the surrounding avenues and alleyways. As with many exhibitions, the really useful information lurks behind the scenes, rather than being on show. You have to speak to the exhibitors, not just pick up the leaflets and free gifts.   

The most worrying trend was the lack of new solutions. Most products or techniques on display were simply variants of long-standing practices. I saw little that was new. It was good, however, to see a greater emphasis on cloud security issues, though much of the debate centred on compliance, rather than security. (See my next posting for a debate on that subject.) Next year should be better, given the range of new technologies that I know are under development. 

The most pleasing trend was the emergence of solutions aimed at small companies. For years the needs of SMEs have been ignored by vendors. Finally we are seeing products that are cheap and easy to use. Qualys has been a pioneer in this space, justifiably picking up the Best SME Security Solution at the SC Awards. This week Sourcefire also announced a lower cost version of their IPS product with a simpler user interface. These companies are smart, as this is a rapidly growing market that has ignored for far too long.

Qualys has to take the rosette for the best exhibition stand, with plenty of space, expert advice and generous quantities of beer available. Everything was on show, including slick product demonstrations, as well as the opportunity to meet Philippe Courtot, award-winning CEO of the year. Outside the arena, the Portcullis Arms takes the biscuit for continuing to maintain a consistently high standard for networking and entertainment.   

Infosecurity will continue to survive as an established institution. But like all such networks it needs to aim to stay ahead of the herd, rather than following in its wake.    

I had an email from Charles Pask yesterday, asking me for my opinion on "What keeps CISOs awake at night?" It's a good question. I thought for a bit and decided that "advanced persistent threat" was the most dangerous threat I could imagine. I was wrong. CISOs are more concerned with personal, immediate and certain problems such as building teams and running projects.

This illustrates two things. Firstly, human behaviour is mainly influenced by things that are personal, immediate and certain. (See my book Managing the Human Factor in Information Security for more on this point.) Secondly, it confirms the first of my laws of information security: The purpose of an information security programme is to cover the backside of the CISO, rather than prevent incidents.  

Perhaps the question should have been "What should keep CISOs awake at night?"

The continuing hacktivist attacks in support of Wikileaks are a classic example of how networks transfer power from traditional institutions to citizens. Power is no longer something you can obtain through wealth, force or status: it's how other people react to you. Security managers should take note, and pay greater attention to external perception in social networks.   

The claim by Julian Assange in Forbes that Wikileaks is targeting major corporates and has a major bank in its sights has already depressed the stock value of one top American bank, though nothing damaging has yet been published. This is only the start of a trend that I've been tracking for many years. Social networks are building a world driven by hearsay and illusion. Welcome to the information age.

The potential for spin, FUD, rumour, Chinese whispers and disinformation increases with the growth in human networking. There are structural as well as psychological reasons for this phenomenon. They are covered extensively in my book "Managing the Human Factor in Information Security".

The damage from speculation is often greater than from the truth. Most of us are still searching for the massive fall-out we were warned to expect from the latest Wikileaks revelations. Whether this is down to raised expectations or good crisis handling remains to be seen. But it's certainly possible to counter bad publicity with smart crisis management.  

The real learning point is that we must all become better at managing perception, both to convey the right message, and to see through the growing mists of illusion. In particular, we should aim to avoid placing reliance on unconfirmed rumours, and always seek a second opinion when making critical business decisions. Unfortunately, as with many things in the information age, it's much easier said than done.