I note that my fellow blogger Stuart King has been speculating on security topics for 2009. It’s natural in his line of business. His company organises many international security events. Stuart sees little progress in getting to grips with existing problems, never mind new ones. But he does see a lot more focus on the people side of the problem.
I fully agree with that. we need to give much greater attention to security awreness and other human factors. The problem is that we haven’t seen much in the way of products, services, methods or advice to help security managers with managing the people side. Understanding where to start is a real challenge for most organisations. Most of the things we really need to do are new concepts for security managers. And there aren’t many good practices out there.
But two things are certain. Firstly, the way we currently go about educating staff is not fit for purpose. There is scope for a massive improvement. It must change. And, secondly, the return on investment from cutting incident levels is substantial. So it’s worth spending more time and money on education.
The lack of guidance on the subject was the main driver for encouraging me to write my new book “Managing the Human Factor in Information Security”, to be published by John Wiley in January 2009. Amazingly, you can even order it now over Amazon, though the manuscript is not yet finalised. In the process of writing this book I’ve assembled a large body of theory and practice, which convinces me that we can, and should, transform the way we manage the people side of security. We need no less than the equivalent of a Security 2.0 solution. And I don’t mean the Symantec product of that name. I mean a new kind of security, one with a much stronger focus on people and their relationships.