Perhaps it’s about time we stopped thinking of information security purely as a specialist, technical profession and instead embrace it as a fundamental office skill, applicable to anyone whose fingers touch a keyboard.
Security awareness among ordinary office workers – even among that mythical tribe of employees known as ‘knowledge workers’ – is patchy to say the least. Where information security is taught within organisations, it’s often little more than a tick-box exercise. Once a year – or maybe even just once, on induction – hapless workers will be confined to a stuffy classroom where they are lectured on the evils that lurk behind their screens and why it’s bad to tell the world, via Facebook and Twitter, what they’re working on and precisely why their boss is an idiot.
Much of what they’re taught is couched in negative terms: you will not do this and you must not do that. Security is an obstacle to working in a way that is easy and comfortable. It’s unusual to present security in a positive light, as a benefit or an enabler.
The employees leave that room feeling armoured against the dangers of the virtual world although they will forget most of what they have heard, either within a week or the first time that security policy contradicts something they want to do on the Internet – whichever comes first.
The employer ticks a box on an HR form confirming that the employees are now fully security trained. And that’s why the organisational entity is so thoroughly perplexed when it’s hacked.
Security is not a technology issue – it’s a people issue, or ‘Layer 8’ problem. Just check out Brian Honan’s excellent presentation at BSides London – Securing the nut between the keyboard and the screen – for a fuller explanation.
We already have all the technology we need to make us secure. But we need to do two things: we need to use it properly; and we need to stop users from making end runs around it every time security becomes inconvenient to them. Most breaches are accidents that occur because people don’t understand the security consequences of their behaviour. Most times, they don’t even know there are security consequences.
We might prevent these issues if security became a more intrinsic part of the office culture. And that’s why I’d like to see security established as a basic IT skill, as fundamental as the ability to use Word or Excel. And this requires that it become formally established in some way – an idea that has, I’m told, been mooted from time to time but never properly pursued.
What prompted my line of thought was a chat with someone at the UK Ministry of Defence (MoD). He explained that the MoD regularly runs internal penetration tests in which individual personnel are directly targeted, to check that they are complying with policies. When I suggested that this would be impossible to do in the commercial sector, because it would lead to accusations of victimisation, he explained that complying with security requirements is seen in the armed forces as a skill. And these pen-tests are simply checking that people’s skills are as sharp as they should be.
This could transfer to the private sector if information security was similarly established as a recognised skill – preferably with an accompanying qualification. Many formal qualifications require regular testing and re-qualification. Within this context, it should be fairly straightforward to gain acceptance from people that their skill levels will be examined from time to time.
For the employer, the benefit would be a staff that keeps its infosecurity awareness raised to an effective level – one that can be tested and demonstrated (perhaps as part of its compliance activities). For employees, they would have a skill and a qualification that can go on the CV and would benefit them when seeking new jobs or promotions. We might even see certain posts – for example, those that involve handling customer data – mandating such qualifications as a job requirement.
I’m not talking here about IT staff: I’m talking about all workers who have contact with or control over information. Everyone within an organisation is responsible for security. It’s time to recognise that properly.