|image source:Mike Bird (https://pixabay.com/en/users/MikeBird-1860391/)|
When I transitioned from Active Duty military to the Reserves, I was very fortunate to land an information security job within the Department of Defense. If I am being absolutely honest with myself, I probably wasn’t ready to to take on a role at that level. One of my favorite quotes for these situations comes from Richard Branson, the business magnate that has a net worth of about $5.2billion. He said, “If somebody offers you an amazing opportunity but you are not sure you can do it, say yes – then learn how to do it later!” I’ve lived by that idea and it hasn’t yet served me wrong. On my first day as a bonafide information security professional, I hadn’t received my network access and was dutifully reading hard copies of information security policies and regulations. After watching me stare with glossed eyes into a three-ring binder for several hours and perhaps even feeling a bit sympathetic, my new boss decided to test my metal. He handed me a stack of printed slides and told me to look them over, and then share my thoughts.
I remember that it was a request for a commercial internet connection that would help a small IT shop test their remote communication kits for their executives. After a few quick glances and wanting to prove myself, I threw the stack of paper onto the table that separated our desks and told my boss that all they wanted to do was get around the security controls that are protecting the organization’s network. They probably wanted to play online games, stream video, or engage in some other activity that would keep them from doing their job. I leaned back in my chair with a feeling of smug success. My supervisor picked up the slides, held them in his hands, and told me that he called the manager of that IT shop the day before. Up to that point, the helpdesk employees were forced to take the communications kits home with them for testing and applying updates. They would certainly be willing and able to keep accomplishing their mission in this manner, but the manager was trying to find a way to allow his employees to keep their work in the office and not impede on their time off. He had tried everything he could to find a way to use the organization’s network to get the system updates and testing done, but compliance barriers blocked every attempt.
I was speechless, and not because I’d just been gently put into my place. I had such a profound change in mindset at that moment that I couldn’t be bothered with speaking while I tried to sort it all out in my head. My formal education in information security and certifications failed to teach me the most important lesson, which was one that I better understood several years before when I was a young enlisted-man serving as a tier-1 helpdesk technician. At the end of the day, it isn’t about applying security controls, complying with regulatory requirements, or even protecting the information. The purpose of security is to protect the mission. It is to protect the key business functions and capabilities that further the vision of the organization. Those helpdesk employees didn’t care about policy or assessments. They just wanted to make sure the equipment worked when it had to. It wasn’t my job to lock down the information, network, or devices. I had to find a way to allow people to do their jobs securely. Even though it was several years ago now, this moment’s lesson served as a catalyst of a personal mindset shift that I could no sooner unlive than forget.
If you are reading this, you may be wondering what you can do to increase the security awareness in your organization. Technical controls, policies, and compliance requirement alignment do a fantastic job at addressing yesterday’s problems, but only an intentional and impactful information security awareness program can help to discover and respond to the issues of today and tomorrow. We are constantly bombarded by references to the “insider threat”, so it is only natural that we start to think of the people in our organizations as vulnerabilities. This train of thought creates more barriers than benefits. We’ve seen several new products hit the market that are designed to analyze user behavior and highlight abnormalities. These tools certainly have high hopes to tackle the concerns over insider threat, but do not even attempt to solve the root problem – users either don’t understand the security consequences to their actions or they simply don’t care. It is our job as information security professionals to increase their understanding in a way that influences users to start caring. If we can even take a few steps toward that goal, the people in our organizations can actually become security controls rather than vulnerabilities.
Steve Higdon has been working in the information security field for over ten years, providing support and consultancy to both public and private sector organizations. Steve can be reached via email at firstname.lastname@example.org and on Twitter at @SteveHigdon.