Author and philosopher Aldous Huxley once wrote, "The means determine the ends." In other words, how we do something directly impacts the result. This is especially true when implementing security and risk management in an organization. Users who are told to follow seemingly arbitrary rules, without understanding the underlying reasons for them, can easily contribute to a security breach.
When security becomes everybody's business, the organization gains greater value from its security investments and builds stronger overall business process management and growth. Here are five tips to help get you there.
Tip 1: Understand the business
Sounds simple, doesn't it? But when considered within the context of a security framework, this can be hard to accomplish. Security administrators and stewards of a company must understand what the business is trying to accomplish before implementing technologies or procedures that don't support growth. Case in point, online banking with certificates (X.509). While a certificate is arguably stronger security than a simple PIN, it also puts a burden on the customer. Banks are in the business of protecting their consumers' assets, but they must first be in the business of making customers happy so that they will keep their accounts with the bank. Because many consumers didn't want to deal with managing certificates, most banks allow online banking with a PIN.
Tip 2: Don't speak "dolphin"
When the security team understands what's important to the business, they can speak to executives as partners rather than as those "tech guys." Using language that shows the executive team that you understand what's important to them goes a long way toward helping them understand what's important for security. And without executive buy-in, implementing a strategic security plan can be impossible. Because the security discipline has a lot of jargon and acronyms it can be tempting to fall into "security speak," which to most nonsecurity folks sounds about as intelligible as two dolphins beeping at each other. Use business terms and normal language. While an executive may not understand the concepts of cryptography, most of them can appreciate that if critical data is being carried on a PDA, protecting that data is a good thing for the business.
Tip 3: Treat users like adults
Taking this one step further, bring the same approach to your end users. In some organizations, there is a general feeling among the security administrators that the general user population is clueless about security because they write passwords on sticky notes. Training and awareness sessions can help remove this barrier. Engage users in the process by explaining why certain rules and procedures are in effect. Periodically sit down with user focus groups to ascertain how usable and effective the rules are. And look to technologies that can help ease the users' burden. If the company implements a 30-day password aging scheme, look at enabling technologies such as single sign-on that reduce the number of passwords people need to remember. Most people can remember one new password every 30 days; few of us can remember 10 new passwords in the same time frame.
Tip 4: Don't just build it
In the movie Field of Dreams, Kevin Costner built a baseball field and "Shoeless Joe" magically appeared. Things aren't so simple in the world of security technology. Policies that are mandated from one small group across the organization are often ignored or circumvented. Difficult-to-use technologies are seen as barriers rather than enablers. Things turn around, though, when the key stakeholders are part of the decision and implementation process. Find champions within organizational units who understand the business value of security, engage their input on new policies and technology rollouts, and leverage their influence to spread awareness throughout the company.
Tip 5: Keep awareness high
Finally, don't forget that it's easy to forget. When users get involved in day-to-day firefighting, it can be hard to keep in mind that security is everybody's business. But there are ways to gently remind people. Consider a monthly e-mail to the company that provides a summary of the organization's state of security health. Make security part of the HR process and train users when they are hired, having them sign off on acceptable usage policies during orientation. Provide friendly reminders on Post-it notes like "Don't write your password on this!," or monthly awareness booths in the cafeteria, contests and rewards for security-aware behavior or a bounty for best "phishing" discovery. And if the above sounds too hokey, try this -- get out there and talk to people. In the world of security, a little humanity can go a long way.
Kelly is an executive security adviser at Computer Associates International Inc.
Proactive Security
Stories in this report:
- Proactive Security
- Security on the Offensive
- Baked-In Security
- Intrusion-Prevention Systems: Erecting barriers
- Supersmart Security
- Secure the People
- Security Quiz
- Security Data Points
- Making Security Everyone's Business
- 15 Tips for Responsible Computing
- How to Plan for a Possible Network Attack
- Book Excerpt: Exploiting Software
- Q&A: Quality Software Means More Secure Software
- No Agreement on Oath Authentication
- Freebie Security Scanners