A chain is no stronger than its weakest link, and life is after all a chain.
To information security professionals, having a strong chain of policy, practice and architecture is indeed, life.
The human factor is always the weakest link in any information security program. Why is that? People are our greatest asset! We invest in our workforce! Our human capital is priority one! Yep. If all that is true, why are the vast majority of information security breaches due to all this human capital doing the wrong thing?
There are lots of factors that contribute to this.
People are overworked and distracted. The local government workforce has been shrinking at a time when the need for new citizen services has been expanding. Employees are doing more with less and they will find ways of getting their jobs done. Even if that means they have to use DropBox to share files or personal email or working from home on personal equipment. They will find a way to get the job done, even if it means cutting corners.
Training is inadequate and difficult. Education is the single best weapon to use to fight information security issues. Period. Training is usually not mandatory unless there is a regulation that compels the locality to do so. Most information security training is tedious, easily scanned and paged through. Employees are compelled to view policies, and click the “I Accept” button. Remember, they don’t have time to take the training to begin with. Find a way to improve the education. We have had success with the SANS “Securing the Human” series of videos at www.securingthehuman.org .
Shadow IT is Pervasive. You may think you have a tight information security posture in your centralized IT department. Good for you. I guarantee you there are other IT departments within your customer organizations where the focus is NOT on information security. Their focus is on convenience and speed. You can play organizational whack-a-mole with the shadow IT functions, and waste a lot of time (and be despised even more). You can ratchet down the administrative rights, and that is a good thing to do anyway. Or, you can work with the shadow IT functions to find out what they do, how they address the customers needs, etc. Remember, it’s not a witch hunt.
System Assumptions. We sometimes buy and build systems that make assumptions about how the humans will use them. Properly trained, well meaning, focused and rested employees will probably almost always use the systems correctly. We have few of those types of employees. When systems are procured or designed the security discussion needs to start way up front, before the procurement, and be part of the project all the way through the maintenance phase. Fail at this and you will pay a heavy price later as you try to add controls externally.
We Don’t Sell Effectively. Lets face it, IT leaders do not make the best sales or marketing professionals. There is a reason why we ended up in IT! Any positive change in addressing the weakest link will require you to get out of your office and sell the investment required for a more secure organization. The sad fact is that this most often happens after there has been an incident. Money. Risk. Improved efficiency. Impact. Political fallout. All of these can be parts of an effective sales strategy built on mitigating risks. Give me $1 to invest in information security training, and I can prevent $10,000 in aggregate impact. The numbers work in your favor here.
There is a phrase by comedian Ron White that people to love to use to describe why information security breaches by employees happen. “You can’t fix stupid”. Heck of a way to describe that human capital we are so fond of, huh? It’s a cop-out and government managers can do better.
Barry Condrey is part of the GovLoop Featured Blogger program, where we feature blog posts by government voices from all across the country (and world!). To see more Featured Blogger posts, click here.