Tuesday, November 19, 2013

Open Letter to IT Departments: People are Important to Your Security Plan.

Read a Dark Reading article this morning that I really enjoyed. First of all, any article on information security that can work in the zombie apocalypse is A-OK in my book. Nicely done, Glenn Phillips.

employee training, security awareness training, information security
And you know, the comparison works surprisingly well. Way too many businesses focus on just a few security dangers (for example, amassing weapons to blow away those pesky zombies) without addressing the whole picture of security (forgetting to stockpile water so you don’t…well…die).

Another problem? Letting an IT team dictate what works and what doesn’t without really considering what Phillips calls “the human component.”

I especially identified with Phillips’ example of the IT department requiring new impossible-to-remember password every 60 days. I’ve worked in places like that, where IT made those sorts of demands with a sort-of “Do it or else” attitude. This was ineffective. Those demands were usually 1) ignored and 2) laughed at.


Are you the CIO where you work? The information security specialist? The IT support center manager?  Then listen up. The average employee doesn’t know what you know—and they aren’t really keen to learn. But the answer is not setting up systems and processes that make things harder for them.

Why? Because people are convenience-obsessed. People are careless. People are impatient. People are preoccupied with all kinds of other things.

They don’t understand why you want them to change their password every 60 days. They don’t care whether or not it includes a good, long mix of letters and numbers. They forgot all about that boring training you sent about never clicking links in phishing emails. They can’t even get their printer working.

And you know what else? If your IT security team is elitist, superior, and creates rules that are irritating and hard to follow, then your business will not be secure.

So now, let me make this formal statement of apology on behalf of employees everywhere. They're sorry. They really don't mean to be lazy or thoughtless or cause security breaches.

Forgive? Ok, great. Now, begin to assume the worse. Expect that they'll lose flash drives on the way through the parking garage. Expect that they will open emails they shouldn’t. Expect that they will take the easy way out most of the time, when it comes to security.

And then, take action. Don’t talk down to them. Train them. Teach them. Use language they can understand and expect it to take a little while to sink in. It will be worth it once they are your strong frontline of security.

More About Information Security