How can business ensure security technologies are aligned with work processes so that it is easy for end-users to do the right thing and not circumvent controls?
Many organisations still fall into the trap of selecting a security technology and then attempting to retro-fit a process around it. Often the resulting process is clumsy, encouraging users to make short cuts, or to simply perform tasks in a roundabout way. So, instead, reassess the problem in hand, design a new process and once that is right the appropriate security technologies should be easier to identify.
After choosing a technology, implement carefully. Testing, and more specifically, piloting is key to acceptance of security functionality among the user community. Lab testing, testing that is confined to the team developing the solution, or testing squeezed at the end of an over-running project will most likely prove inadequate. Instead, focus on the real-world users during testing or piloting of a proposed solution. So get the users to help you; for example, one ISF Member has identified a pool of about 100 users spread across the business who receive security patches and updates before other users. If no problems or issues are reported, the change or update is then rolled out generally across the business.
Then, do not forget training, and use it to focus on the process as well as the technology. Get senior members of the organisation to actively and visibly show their support by training alongside other users. Remember to include security awareness training, and make it real for the user. Most will use the internet at home for banking, or have children accessing the net - placing good practices into this alternative context will help your users be secure at work too.
Finally, make sure the process is monitored and fine tuned, and does not just fade away after implementation. Do not be afraid to enforce compliance if necessary, and be ready to respond to changes in the business that demand a change or refresh to the process.
Remember, you may get the chance to fundamentally alter the way that systems are secured only every five or ten years, so make it count.
Gary Wood is a research consultant at the Information Security Forum