“They just don’t get security!”
As InfoSec professionals we often curse our management, our users or our customers (or all three) because they have done something “stupid” which either creates or nearly creates a security incident. We howl, we complain, and wish users would just “wake up and learn!”
I think we are all wrong – yes, the InfoSec professionals are wrong, management is wrong, users are wrong and our customer are wrong. Why? We all don’t get security. There are a few exceptions, but as soon as we bemoan our users, management or customers, we are just as guilty of ignorance as they are.
“Okay, now you’re off the deep end!”
Let me tell you a comment that I heard at a panel I was on where we were meeting with the media. One of the panelists said, “I know a bank which has put in state of the art security, and some of the best controls. But they are all turned off because the users won’t use them and they just go around them.” We have all heard this story before, and usually we find ourselves saying “They just don’t get security!”
The problem is not with the users. It is with the InfoSec professional who thought that the best, state-of-the-art tools that inhibit the ability of users to do their job or act in a productive manner was appropriate. How can users be expected to respect, learn about and engage with security tools when we as InfoSec professionals so often fail to learn about or engage with other business units in our companies and understand what they must do to be successful. Let me give you a list of questions to ask and think to yourself if you can answer these without making a phone call:
1) What is the most important function or process in each business group?
2) What function or business process in each business group generates the greatest revenue?
3) What efficiencies in each business group can or does create the biggest savings?
4) What processes in each business group are the most time consuming?
5) What business risks keep the managers in each business group “awake at night”?
6) How does knowledge and information flow through the company?
As I have mentioned in lectures and blogs before, I have walked into companies where the InfoSec group has no idea what the business does, or refuses to talk to other business groups about their needs, their views, and their operations. One company even insisted that their Business Continuity Plan did not need to include anyone outside of IT since, “We know all of it anyway.”
If you as a CSO want to promote security tools and controls you had better understand the business and be able to talk about their problems. You had better have your team ready to design and select security tools and controls that enable the critical processes, increase efficiency, reduce time to perform a job and increase revenues (or customer satisfaction). If you can’t do that, then you will fail. And don’t be surprised when the company looks at the security group and says, “They just don’t get business.”