I Was Wrong About Security
Back in the mid-2000s I was managing enterprise security for a medium-sized entity in critical infrastructure.
Along with security I was managing much of the Information Technology team, including the Help Desk. My management style tends to be pretty hands on, and one of the things I liked to do was walk around and survey my minions in the morning.
I would talk to my teams about their problems and headaches, and if I got lucky, what was going well.
One morning I was passing through the Help Desk when I overheard one associate – we’ll call him Fred – working with an end-user on a problem. Fred kept repeating, “yes, go ahead and put your mouse on the OK button and click”. Seemed simple enough.
Well after multiple attempts, Fred decided that it was worth a trip out to see the user. I was intrigued so I tagged along.
I learned an important lesson that day.
When we got to the user’s cubicle, we were met with a sweet older women. She was smiling. Super friendly. Just a warm, inviting person. There was no frustration, no resentment whatsoever that we hadn’t been able to resolve her problem. Fred got right to work.
He repeated his instructions. “Put the mouse on the OK button and click.”
So she did just that.
She picked her mouse up off of the desk and literally placed it on the monitor, right on top of the OK button. And then she clicked. And she was right, it didn’t work.
She did exactly what we told her to do, but not what we wanted her to do.
Fast-forward to today, and most security practitioners (I used to be in this group) will have you believe that people are our biggest risk. They will tell you stories about how people fail during penetration tests, how people don’t “get it” and how statistics show that nearly all security breaches are the result of a human failure.
They will tell you that people are the biggest problem in information security.
They are wrong.
Ask yourself these questions –
- Would you attempt to drive across the country without a map?
- Would you let someone perform surgery on you if they weren’t a doctor?
- Would you deploy a firewall without configuring it?
The answer to all of these is obviously no.
However we regularly – in all industries, in organizations of all shapes and sizes, in every country of the world – expect human beings to behave securely without effective training, education or configuration.
What we haven’t quite figured out in a meaningful way yet is that, people are like firewalls. They need configuring and patching on a regular basis. As soon as you stop patching a firewall, the state of its security begins to decline. The same is true of people.
And yet people are not like firewalls at all. Firewalls don’t have brains. And people aren’t binary.
Yet most organizations continue to utilize training techniques that aren’t designed for human beings. Their training is boring, irrelevant, tedious, unengaging and long. We’ve all been there – forty-five bullet-filled, do-it-yourself PowerPoint slides and a quiz.
This doesn’t bring awareness, it brings tears.
If you want your employees’ security behaviors to be effective, your training needs to be effective. It has to be fun. It has to be relevant to their job. It has to be short enough that it can fit into their day without being too disruptive. It has to be timely. And it has to be continuous.
October is National Cyber Security Awareness Month, a great time to rethink your security awareness and education program.
I was wrong about security, but you don’t have to be.
Your human firewalls – and your business – will thank you.