Information security has a problem; an awkward border that we have consistently failed to understand and protect. This constantly changing, infinitely variable border is known as our people.
Globally, we are spending millions of dollars addressing human centric information security, from training videos and e-learning to audit and accountability software. Yet, despite these ongoing programs, the number of organizations breached via social engineering or human attack continues to rise.
It’s clear that what we are doing isn’t working. But what can we do to help protect our people, our employees, and customers from this ongoing threat?
While our current efforts are meeting compliance regimes, such as PCI Data Security Standard (PCI DSS), and their requirement for information security awareness programs, they are failing to change what is at the core of human security risk—people.
As a species, people have developed a natural instinct to trust and connect. We are collaborative and work together to solve problems, gain resources, and protect ourselves and those around us. Our businesses have thrived as a result of this trust and collaboration. In fact, creating company culture and high functioning/high trust teams has been a hot topic in fast company growth for a number of years.
Information security awareness and risk management techniques ignore this entirely. We teach, test, and judge our people as individuals. We teach our staff to “trust less” and “report suspicious activity,” and ignore the basic relationships and motivations of the people in question. Our security programs are literally working against our ambitions for innovation and growth.
Our ongoing efforts to make our people “trust less” are making our workplaces unfit for people.
If you’ve never worked in first-line support or customer service, you may not understand. But to those who have been on the receiving end of constant customer enquiries and questions, they will know that there is more at play here than simply “trusting less.” The roles we have created for people require them to trust, to form attachments, and to relate—these are the skills that make our customer experience people excel. We cannot simply ask for skepticism and paranoia without making these roles ineffective and unpleasant for the people in them.
To protect our people and our organizations from the very real threat of social engineering and online attack, we need to move beyond changing the behavior of the individual and start changing the culture of our entire organization.
So how do we change security culture in our organizations?
First, we need to remember that people learn in predictable ways, requiring reinforcement on a regular basis to build the behavior equivalent of muscle memory. We need to ensure our education programs are not one-off engagements. We need continuing and adaptive education for all our staff—from the most senior to the most junior.
Engagement and empowerment are slightly less “off the shelf” available and need a bit more thought. People do not thrive in environments where they feel threatened or at risk, and yet our security controls ensure that this feeling persists. Our employees and staff need to be able to report issues without fear of negative consequences and feel the benefit from an ongoing dialogue that both speaks to them but more importantly listens.
Human security risk will not be solved by the lone actions of a security manager, who valiantly applies a prescribed training program to his/her staff. It will be solved by the organizations that spread the responsibility for this change to the people themselves, creating an educated, engaged, and empowered workforce.