Unfortunately the accountability of the user is yet to be well understood, which leads to error or justified flouting of the rules, often with management support, in order to get a job done. This presents a colossal task for the security manager to ensure employees understand the whys and wherefores of what is being asked of them. Increasingly, common practices, such as defining generic responsibilities within employment contracts, and awareness programs delivered via the intranet are needed, but are not adequate. Training should be developed to ensure skills are present where they are required, while eEducation and awareness should aim to empower all stakeholders to make informed decisions and become motivated for their own benefit. Still, such efforts only reflect the perspective of the controller, leaving the controlled unheard.
Perhaps it is time that the awareness exercise is turned on its head, with security and business managers setting and enforcing controls based on an understanding of what the user requires, rather than forcing requirements on the user. The good news is that there is an effort underway that will inherently begin shifting focus to user behaviour. Once high profile data breaches started making general news, organisations began to assess what their data is doing, as well as where it sits, where it goes and how it moves and what it is used for. In other words, they began to assess what their users are doing. This exercise should build up a richer context for information security strategy and lead to that ubiquitous accountability that the information security department has been trying to get the entire organisation to accept. Policy will be supported by workable business processes, reflecting individual functions that put employees in a position to respect rather than flout it. Security controls will no longer need to be ignored in the name of saving money or getting work done, because it will be clear that one size cannot fit all. Employees will be able to grow to understand how risks apply to their role and anticipate them as they get on with their daily tasks. Electronic data protection will become as instinctive as locking the desk drawer at night.
John Colley is EMEA managing director at (ISC)2