Saturday, December 18, 2010

An InfoSec Pep Talk

The information security savvy are frequently as immersed in their field of expertise as to commonly forgot just how much of best practices remains a mystery to the unindoctrinated.  Don’t think so?  Take a walk through any office space, retail storefront, or healthcare facility and think like a “black hat” for a moment.  You see that pile of completed forms stacked over there?  How about that unshredded, unlocked recycle bin?  Are there really no physical controls around the fax machine?  Bingo!  An unlocked workstation!

Now, let’s think about the most recent security awareness class that your organization offered.  It probably reviewed password strength and complexity and phishing threats.  Hopefully, it also went into some detail regarding organizational security policy and how …zzzzzz….Why is it that whenever we get to policy part the audience keeps doing that?!

Ok, here’s the problem.  Most people want to do their jobs to the best of their ability and then go home.  Most people also despise change.  So, when the Information Security Department starts introducing controls that require people to change their behavior in order to do their jobs, it is frequently met with an acute case of the “I don’t wanna!”s. 

Oddly enough though, today’s change is actually tomorrow’s accepted state.  Recall the late ‘90s when you tried convincing your boss that a network firewall was needed to safely access the Internet.  After clearing budget review, end users likely flooded the help desk with calls as seemingly far-fetched as that their mouse was moving slow…ever since the firewall went in.  Today, network firewalls are commonplace as too should be the desktop variety.

The fact is that when Information Security proposes a control, policy, or process; it will likely be met with both skeptics and naysayers.  The “we’ve always done it this way!”s and “isn’t that overkill?”s are frustrating and, at times, discouraging.  However, it is also the nature of the business.  Information Security is paid to consider the risk and to make the hard decisions that err on the side of caution.  In times of trouble, Information Security is also everyone’s best friend.

Don’t ever give up in your efforts to clearly communicate organizational security requirements.  Re-commit now to the value of your security awareness program.  Rinse.  Repeat.  Develop prioritized organizational security goals according to a three year plan and institute measurable benchmark to regularly assess current state and monitor performance.

Information Security hopes for the best while planning for the worst.  With enough supporting data your boss may even begin to realize exactly how much worse off the organization would be without it.

No comments:

Post a Comment