Skip the navigation

How to talk security so people will listen (and comply!)

January 3, 2013 06:00 AM ET

So far, three phishing experiments involving 250 employees each have been conducted; eventually, Mankovich hopes to test the security smarts of all 90,000 email-connected Philips employees worldwide.

"At the end of each pilot we talk to a few of the users to see what they felt about the experience -- both those who fell for the phishing and those who did not," Mankovich says. "We [typically] have a very small percentage of people who did the bad behavior, and those people do get the message."

As for more simulated attacks, "We've decided we're going to run it forever. Those personal hooks do very well" -- though future phishing tests will be stealthier and increasingly intricate, he says.

Protect to enable

In light of the increasingly virulent cyber-threats out in the wild, IT leaders struggle between giving business units the freedom to choose their own apps, launch their own online initiatives and adopt new devices, and putting the brakes on.

But it is possible to strike a balance between the two, Harkins says. Intel adopted its "protect to enable" mantra three years ago. Rather than focusing primarily on locking down assets, the mission of the information security group has shifted to enable business goals "while applying a reasonable level of protection," Harkins says. "The more drag you put on information flow, the slower the business velocity, which also creates strategic risk issues," Harkins explains.

To enable business goals while still effectively communicating its security policies, IT needs three things, Harkins says: an adequate level of acumen as to the business side's situation and needs; input from both technical and business units on the risks versus rewards of a given security decision; and a clear channel of communication among all levels and units of the business.

The more drag you put on information flow, the slower the business velocity, which creates strategic risk.
Malcolm Harkins, Intel

Intel's BYOD plan is one product of its "protect to enable" policy. As early as 2009, Intel took a new approach that supports personal devices in the enterprise. "I challenged my team to work with Intel legal and human resources groups to define security and usage policies. This enabled us to begin allowing access to corporate email and calendars from employee-owned smartphones in January of 2010," Harkins says.

The initiative has been highly successful in allowing users to adapt their mobile devices to the workplace while keeping corporate data safe, and Intel continues to define new security and use policies as new devices come onboard.

Insurance provider Endurance Specialty Holdings Ltd. in New York tries to establish policies that don't limit the users from performing their jobs, says CIO Tom Terry. "There's generally a good reason why they're asking for a particular software, tool or device. We attempt to understand the problem they're trying to solve and give them tools to address their needs in a secure manner."



Our Commenting Policies