Information Security – A People Problem

    January 8, 2007

Interesting article out on outlaw about how information security is a people problem, which is something that we all probably really do know, even if we won’t really admit it all the time.

The URL for the article is here, and it was written by John Colley of the International Information Systems Security Certification Consortium, (ISC)

The core of the article runs around three premises:

“We need to remind ourselves again and again that information security is not a technology issue – it’s a people issue. We are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of business. This includes the employees that deliver our services and the customers that take advantage of them, as well as the senior executives and board room directors that grant us our budgets.

We must make the effort to understand changing organisational structures that increasingly embrace outsourcing; how our companies would like to take advantage of their business intelligence; how customers would like to interact with our businesses; evolving workflows; application management; development strategies; and so on.

We must also recognise that information security programs reflect high levels of interdependence across the business. The security team from the top down should be capable of working collaboratively with business units – participating on strategy committees, assessing business objectives, presenting risk analyses, and reporting common accomplishments in recognition of common objectives. A review of hiring practice is warranted to ensure a team that is capable of interfacing with the business, as well as implementing solutions.” (ISC2)

The premise is that security relies on people is well founded, well understood, and something that we really do recognize in our daily business. We deal with people when we deal with an issue, we really do not do anything in a vacuum, we need and rely on people to provide us the information or access that we need to do a good job. Our interactions with users, administrators, and management define how well we are doing our jobs, and in the longer run define how well we are running our information security programs.

The organizational structures that we deal with, information security is business intelligence. Properly used information security information from Security Information Management systems, collation systems, and other management/monitoring systems is all valuable to the business because it allows the security department to move assets around depending on the needs of the business in regards to what techniques and processes are being used to attack it. This can reduce costs by allowing for the efficient use of personnel on day to day issues, and provide real metrics on how many people are trying to really attack the company.

And the interdependence is also all about working with people, to make the computer systems stronger, to make policies work better, to invest in best practices that make sense for the company, and a whole host of other ways that we are interdependent on each other within the company.

Its an interesting view point that is shared by many who read this blog, and have often voiced back to me that the old ways of Information Security and IT need to be consigned to the dumpster, and for the first time, a representative from ISC2 has also basically said the same thing, although a lot more polite than we have here. The article is well worth reading, and getting to know this kind of information security. As we have more and more leaders and managers in the field believe in information security that is reliant upon the business, as much as the business is reliant upon information security, the whole industry will change.



Add to | Digg | Reddit | Furl

Bookmark WebProNews:

Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security
, and is an active participant in the
ITtoolbox blogging community.