Earlier this week I gave the closing keynote address at Kable’s Information Security in the Public Sector conference in London. The subject, requested by Kable, was “Creating a Security Conscious Culture”. It’s another indication of the growing importance of human factors in today’s security and IT problem space. And it’s not just in user education. The key obstacles and enablers to aligning security with business goals, or in joining up Government IT, are politics, perception and relationship management.
A year or two ago there was much less interest in human factors. Today it’s the most requested topic for advice, research or presentations. The UK Technology Programme is investing millions of pounds in research in this area. Leading universities are building more human factors content into their courses. And sales of security education services are at an all time high. I’m already booked to give presentations on the subject next year in UK and USA.
Will this trend continue? Yes, it has a long way to go. The major obstacle at present is the shortfall of budget and resources assigned to the subject. It can take years for such vital enablers to catch up with the latest challenges. But there is a compelling business case because it reduces incidents and, more importantly, their associated costs. If your organisation is not spending at least 10% of its security budget on security awareness and behaviour change, then it’s probably got the balance wrong.