A
smattering of the usual suspects met under the auspices of the Information
Assurance Advisory Council in Covent Garden today to consider the last great
frontier – dealing with human aspect of information security. Just how do companies impose workable
constraints on the 'Mark 1' human being?
With
great difficulty, came the considered reply.
When
dealing with remote access to an organisation’s systems, the “new firewall” is
identity management. The challenges of identity verification and privilege
management are immense. What realistic controls can be placed on staff (and
contractors) when the organisation is at the same time, trying to give the
impression that it trusts them?
For
the public sector, additional challenges are presented given the aggressive
pace of the hugely ambitious digital agenda programme, which simply increases
vulnerability every day. This is compounded by a culture of zero tolerance for
mistakes by ministers and those with a public accountability role. But this
leads to decisions on how to react to data breaches being made in ways that
detract from possibly more important issues. The public sector is creating
vulnerabilities at an exponential rate because of the way it chooses to do
business.
There
was not a meeting of minds on the best way of addressing the “human factor”.
The security professionals stress the need for managers to ever more closely
scrutinize the actions of their direct reports. Often, with scant regard for
the legitimate privacy rights and aspirations of staff, who are human beings with
human rights in their spare time, if not while at work.
There
are some encouraging signs, though.
Government
security clearances are being administered less frequently by teams of
ex-policemen and former spooks, and more frequently by teams of ex-teachers and
social workers. This new breed of clearance officer is likely to be more in
tune with the people they will be clearing. And they will be more able to
assess an applicant in terms of their ability to conform to norms of today’s
generation, rather than compliance with the culture of those of previous
generations.
Technical
controls are (oh so gradually) being implemented within organisations, meaning
that security is being built into electronic systems, rather than being bolted
on to them. Yes, there is a huge distance to travel to security nirvana, but we
have to be realistic. Staff (usually) want to do their jobs efficiently, and to
a high standard. They expect to be given appropriate tools to do the job, and
increasingly resent having to rely on “work arounds” simply because the
organisation is not capable of living up to the high standards it espouses in
its security policies, etc.
Today’s
principal themes were the usual ones: of awareness, management & culture,
and leadership.
But
the key message was ominous: that staff expect to be loved, looked after, led
and managed effectively.
Organisations
that can’t manage to live up to these expectations deserve to fall victim to
the insider threat.
.
Posts
