Last week I gave a presentation on the subject of “Managing the Human Dimension” to Iain Sutherland’s excellent Independent Information Security Group. It got me thinking about the balance between the human and technology aspects of IT Security and how it continues to change. I’m often asked for my opinion about the most important aspect of IT Security. And I have to admit that my opinion changes every year.
In the early days of IT Security there were many academics in the USA, including some leading lights such as Bruce Schneier and Dorothy Denning, who firmly believed that everything in security could be solved with technology alone. They eventually saw the light and quickly began to focus more on the softer aspects of security. In contrast, there were also a handful of maverick, crusading consultants, such as Donn Parker at SRI International and our own Martin Smith in the UK, who preferred to play to their strengths and promote the importance of the human dimension. But in practice most CISOs quickly discovered that the logical starting point was to focus on policy, processes and standards, because that was the easiest way forward and the most obvious way to engage the Executive Board and kick off a long range Enterprise programme.
Personally, I always took a balanced view. I was introduced to the classic triangle of people, processes and technology in the Royal Dutch/Shell Group back in the early nineties when it became fashionable for business process re-engineering. I often mapped security standards and initiatives against it, but typically found the outcomes to be far from balanced. And the focus was not static. Ten years ago, if you’d asked me were the biggest bang for the buck could be found, I would have pointed to platform security. But today, it’s different. Over the last few years, the weak spot has been human behaviour. So naturally that’s where the attention has been shifting. And in fact where much of the UK Government focus has now been concentrating. And to be honest, it’s where I’ve been able to make the greatest single improvements in security in recent years.
And the balance is now changing again. Over the next few years, I believe we will see the emergence of new security technologies that will provide unprecedented capabilities to see and control security events across the enterprise. And these capabilities will only be successfully harnessed through the use of new policies, processes and technology. So again, the focus will switch away from the human dimension towards business processes and automation.
Of course, anyone that knows me will understand that I’ve always believed that a process-driven approach is not the true way forward for an Information Age organisation. Repeatable processes are a prescriptive, Industrial Age solution to promote traditional, static business activities. But scripted approaches have the unfortunate side effects of restricting business agility and dumbing down people’s capabilities. They won’t deliver the goods in a fast-changing business world, run by empowered individuals. Ideally we should provide staff with an up-to-date set of tools, smart training and a clear set of objectives and standards. We can then allow them to improvise and exceed expectations by constantly transforming the quality of our services. In fact it is perfectly possible to design 100% script-free business processes, IT systems and supporting infrastructure. But unfortunately the business world is far from ready for such radical ideas. So for some time to come, I expect that processes will continue to be King in the business and security worlds.