Communication and the first law of security

Security makes for a great scapegoat. “We can’t get access to the website” then blame security. “My computer is running too slow”, blame all the security tools on it. “I can’t get access to the network”, must be the fault of security, and so on…

Reality is that the problems are more often than not the result of devices and services being mis-configured or a lack of awareness about what the correct policies and settings should be. Now, some of you might want to blame that one on the security department for not communicating the right messages.  The excuse of “we didn’t get that information” is frequently heard. I’ll bet that you did but because the email came from the security team you filed it away to read “later”.

Communicating security information across a large organisation is a challenge in itself. Firing off an email and expecting 30 people in 30 countries to all be able to interpret it correctly (if they actually read it) and then implement the right response is wishful thinking. Somebody recently asked me how I measure the success of my communications. It’s difficult. Follow up phone calls and feedback are the obvious ways. The principle lesson I’ve learnt through brutal experience and now known as my first law of security: if you don’t check then it hasn’t been done.