Saturday, August 18, 2012

Do security like a start-up or get fired - Do

This is part of a blog series. For more details, start with the intro.

Do or do not. There is no try.

Said this, a great philosopher once did. His most famous quote, arguably, it is.


Ok, so Yoda is fictional. But the quote is not. You don't need to have your religion listed as "Jedi" to have heard of this quote. Organisations need to commit to security. Go all in. Do not pretend.

Employees are still the most easily compromised link in the chain. Almost all advanced persistent threats start with a sophisticated phishing attempt. All employees must be tested for security awareness and behaviour on an ad-hoc basis when they are least aware they are being evaluated. For example, many organisations send phishing emails to their employees on a random, periodic basis to see how they react.

Notice I made no mention of education. This is implied, but focusing on education is the wrong way to go about it. Studies have shown that training alone does not work. Even if you haven't seen the figures, as security professionals, we know through anecdotal evidence that this is true. In addition, employees must be made aware when they have failed a test so they know what to watch for and how to better avoid being the weak link.

Gartner's Andrew Walls has a great presentation titled: Why Your Security Awareness Program is Doomed (and What You Can Do to Rescue It). If he's giving that presentation at an event, make it a priority to attend. He talks about ways you can achieve behavioural change in employees (e.g. by using advertising, marketing and social engineering techniques) when it comes to security and why awareness programs just don't work. Basically, people are lazy. Even if we know that something we're doing may not be within policy, we weigh up the risk subconsciously and if it isn't high enough, we'll take the easy route. For behavioural change to happen, the easy way to do something must be the secure way.

Combine behavioural changes with a light slap on the wrist each time an employee does something that's insecure (through ad-hoc testing) and we're on to something that has a chance of working.

Finally, security professionals must be involved with all aspects of IT and at the business level. They should be present at every development meeting, every architecture meeting, every operational meeting, every process meeting and every other meeting you can get a security team member into. If security isn't part of the conversations at the business level, everyone in the organisation is just going to go around the IT security team.

Next up - Share.

No comments: