|image source: jainoncor.com|
Originally published at The Cybersecurity Place
For some time, a discussion about advancing technology and its impact on the human workforce has centered on topics like the loss of manufacturing jobs due to improved machinery or the decreased need for cashiers after the implementation of self-checkout systems. Frederick Taylor had something to do with this, when he traveled the world during the Progressive Era showing manufacturing companies that there was “one best way” to conduct and manage business processes in the most efficient way possible. We started replacing specialized people with unspecialized laborers and technology.
Now fast forward about a century to the information age, more especially to a time where information security is charging toward the forefront of business. If you belong to the information security community, the subject of the insider threat has become commonplace and virtually cliché. For those not familiar with insider threat, it encompasses both users who intentionally present risk to the organization (like Snowden and Manning) and those who mistakenly do so through ignorance or neglect. Instead of investing in the users and their general awareness, organizations are purchasing security tools and other software solutions to keep them from leaking information, clicking on links, plugging in thumb drives, and opening attachments.
At one time, ensuring proper employee behavior was a leadership responsibility.
I make the argument that the only reason insider threat is so scary is because we have stopped developing and promoting leaders. Technical controls, fancy new tools, and user behavior analytics do an excellent job of addressing yesterday’s risks, but only education and leadership are able to respond to the unknown risk today and tomorrow. You wouldn’t see a tool generate an alert that says “there is something strange going on here that I’ve never seen before and I have a bad feeling about it”. That is because technology is only going to accomplish what it is preconfigured to do. Good leadership continuously updates itself, whereas many technical controls and security tools do not. Good leaders adjust their risk threshold dynamically in response to today’s critical missions, while software relies on human interaction at some point to know what to measure against.
A few days ago, I read something on LinkedIn that was something like, “What if we make big investments in our people and they leave?” It went on to say, “What if we don’t and they stay?”
I feel as though the dependence on technology when it comes to information security stems from a history of system administrators that lost all hope in humanity. At around the 17th time you had to go and change the default printer for a user, you looked for a way to automate things in order to save time and take the user out of the equation. The best sysadmins however, learned that if they walked the user through the process for accomplishing each task, it made their customer support role infinitely easier. The only thing that has changed now that there is an increased focus on security is that those system administrators have jumped on the cybersecurity bandwagon and added a new dimension to their contention toward users.
Another potential cause of the need for technical solutions to address leadership problems is the recent economic recession. Large organizations were presented with a need to cut costs wherever possible, and executives had to put an increased focus on management of the key business processes. At that time, leaders were replaced by process managers who were much better at making the business function than influencing people. In that sort of scenario, it might have seemed easier to invest in technology to control and monitor employee behavior than to train their managers to become more effective leaders.
No matter the cause however, the costs can impact more than the organization’s financial statements. They are left with overly complex technical solutions, untrusting employees, and ineffective leaders – all of which go well beyond the obvious information security implications.