All security is human. I forget where I heard that or read it, but it underlines a simple reality about security. It all boils down to humans and their behavior. Technology, process, compliance, etc. are all tools we have to alter, control, and monitor human behavior. Security is ultimately about manipulating people into desirable behaviors and discouraging unwanted behaviors.
This is why all security must have at least some respect and consideration of the psychological aspects of security. How people perceive security has a lot to do with their willingness to accept and support it.
The Transportation Security Administration, TSA, learned this lesson in a big way. Videos of TSA agents patting down toddlers and molesting grandmothers fundamentally altered the perception of their efforts. Suddenly, a few poor choices had grown into a massive, national discussion on TSA’s activities and charter. People even started tying the behavior of TSA to the policies of the current administration, which is completely nonsensical since the President has zero involvement in crafting TSA procedures.
But, the President and TSA do have a lot to do with perception. And the minute people see a toddler being strip searched, the perception goes from stopping terrorism to assaulting children.
Information security suffers from the same perception problems. I routinely advise CIOs and Information Security Officers to “humanize” their security efforts. If you start with the attitude of “NO!” then people will reject security as a disabling and confrontational force in their jobs. Confrontation does not make for better security.
The “enabling” approach is significantly more effective. Show people how security can protect them from unwanted theft. Demonstrate how security can help monitor for destructive things. Reassure people that security efforts are focused on protecting the people and property of the business. Moreover, differentiate between personal and protected behaviors. If you do not tell people you are monitoring their web surfing, then they are going to become angry when you try to use it against them. Security efforts should be overt. That is, employees should know exactly what is and what is not monitored.
Unfortunately, information security tends to attract a lot of “power hungry” types who want to use security to accumulate power and authority over people. My experience is that these people rarely last long in any organization. Eventually, their confrontational attitude becomes irritating to management and they are either forced out or marginalized to the point of irrelevance.
Remember that security is both a feeling and a reality. And both are equally important. Good security works to simultaneously improve both the perception of security (feeling) and the reality. Over emphasis on one area in expense of the other can make for TSA-sized problems.
TSA’s problems really were more about perception than reality. The reality is, new procedures and technologies have made flying safer. It is easy to focus on the few anecdotes where something slipped through or a child was mistreated and perceive the entire system as broken. What people fail to consider is the millions of anecdotes where a catastrophe was averted. Or where a person considering an attack gave up because of the perception that TSA would catch them and arrest them.
What TSA needs to do, as well as all information security departments, is humanize their efforts. Security needs to be sold to people. Not merely enforced upon them. People will conform to annoying procedures and practices if their perceive a benefit to those practices. But those practices also need to be practical. Screening children for bombs is a waste of effort. Information security has similar wasted efforts. Blocking every user from accessing Facebook may seem like a wise security move. But, if it merely angers people and provides no perceptible security benefit, then why do it?
I would caution CIOs and executives when hiring security professionals, take the time to evaluate their intra-personal skills. People who are unable to relate to others or possess a rigid, inflexible view of security are terrible security people. A good security person has a well-rounded mixture of skills that include business and intra-personal skills.
I would also caution all you aspiring ISOs or CISOs out there that outrage is not a virtue. Being permanently in a state of outrage and indignation over some information security injustice solves nothing whatsoever. Complaining that your organization does not cherish security like it should is, maybe accurate, but does absolutely nothing to improve the situation. Funnel your outrage into action. Turn all that indignation into identifying ways you can incrementally improve the situation. And lastly, if you are not willing to get your hands dirty on the firewall or IPS, then what business do you have telling others how it should be done? I understand that managers need to manage, but they also need to lead. Lead through example and inspiration, not fear and ignorance. Quit complaining and go get your fingers on the IPS and make it run better. Quit complaining that you bought the wrong product or that nobody can make it work. YOU make it work.
All security is human, and all humans want security. But they want security to serve their needs, not hinder their aspirations.