Mo Amin: You can transform technology but how do you transform people?Posted: April 14, 2014
Mo Amin – Information Security Professional
Can you please tell us a little bit about your background?
Long ago in a galaxy far far…oh ok…ok…Just like a lot of people in IT I got asked the same question “My PC has died, can you help me?” When you say yes to one person it’s a downward spiral…and before you know it you’re THE computer guy! Even now I (depending on my mood) will help out. So this was my first real experience in building rapport with clients, charging for my time and to a certain extent being held accountable for the service I provided.
I taught me a lot and was a catalyst in helping me to land my first role in desktop support. I was part of a small team which allowed me to get involved in some network and application support too. Whilst doing my day role I was involved in a couple of investigations, which got me interested in information security and through a few lucky breaks I slowly moved into the field. I’ve been lucky enough to have worked in a number of areas ranging from operational security through to consultancy. However, I’ve always intrinsically enjoyed the awareness and education side of things.
What is it that you are working on at the moment?
I am working with Kai Roer of The Roer Group to help develop the Security Culture Framework. Essentially, the framework aims to help organisations to build a security culture within their business, as opposed to simply relying on topic based security awareness. Making sure that organisations begin to build a security culture into their business is something I believe in strongly. So when Kai asked if I’d like to help I was more than happy.
Let’s talk for a moment about information security in general. What do you think are the biggest challenges that companies are facing at the moment?
I think that one of the biggest challenges is educating staff on the risks that the business faces and getting people to understand and relate to why it is that we are asking them to adopt secure practices. The problem revolves around changing the attitude and overall culture of an organisation. In my humble opinion, this is the biggest challenge. The difficulty lies in changing behaviour because you can change technology but how do you positively change the behaviour of people?
What is your approach or proposed solution to this challenge? What should companies do?
I’ve always learned by seeing something in action or by actually doing it. Obviously, within the context of a busy organisation this isn’t easy to do. However, as information security practitioners, professional or however we label ourselves we need to be more creative in our attempts to help those that we work with – we need to make awareness more engaging. I think it’s important to have workshops or sessions in breakout areas where staff can come along see how quickly weak passwords are cracked, what can happen if you click on that dodgy but enticing looking attachment. It’s about visualising and personalising threats for people, for example, if you plan your awareness programme carefully you could map your corporate security messages for the home environment and provide your staff with a “Top 10 of do’s and dont’s” Make it creative and engaging and the messages that you give for their home environment they will begin to bring them back to the office.
Lots companies offer security awareness training, which doesn’t seem to have much of an impact. What do you think about these trainings? Should they be changed in some way in terms of targeting, or accounting for individuals’ particular needs, or focusing on behaviour?
The problem is that most of this is simply topic based awareness, in that it’s not seeking to change behaviour. There seems be to be a lot of generic content that applies to everyone in an organisation. Sadly this is a tick-box exercise for the purposes of compliance. Awareness should be unique to your organisation where you cater for different personality types as best you can. Some people actually like reading policies where as some prefer visual aids, so the ways that individuals learn needs to be better understood. The process of educating your staff should be a sustained and measured programme; it needs to be strategic in its outlook.
What about communication?
Better engagement with the business is what we need to be doing. Our relationships with the likes of legal, HR, finance, marketing, PR should be on an everyday basis not only when we actually need their expertise. These departments usually already have the respect from the business. Information security needs to be seen in the same light.
How do you identify the relevant stakeholders and establish communication with them, and further propagate the whole process of communication within the organisation?
Grab a copy of the organisation chart and start from there. Your job is to introduce yourself to everyone. In my experience doing this over a coffee really helps and preferably not in a meeting room, because it is better to create a new business relationship in a social context, wherein the other person gets to understand you, firstly as a human being and secondly as a work colleague. Most importantly, do this at the beginning and not two months down the line. Building relationships at the very beginning increases your chances of being in the position of asking for last minute favours and paves the path for easier collaboration, as opposed to having to ask for people’s help when they don’t even know you. Usually people are open and honest. They may have a negative image of information security, not because they don’t like you, but most likely because of the interaction they’ve had in the past.
So let’s say that you have joined a new organisation that has a very negative preconception of information security because of a bad previous experience. Once you have already identified all the key people you have to work with, how do you fight this negative perception?
You need to find out what was done previously and why the outcome was negative in the first place. Once you’ve established the actual problem, you have to diffuse the situation. You need to be positive, open and even simple things like walking around and talking to people – show your face. Visit different departments and admit any failings, you need to do a PR and marketing exercise. In a previous role I’ve actually said
“I know what went wrong the last time, I know we screwed up. I want to ask you what you want to see from the information security department from now on.”
People are ready to engage if you are, be personable and be professional. It’s surprising how much positive and usable feedback you actually get.
The majority of the time, people will tell you,
“I just want to be able to do my job without security getting in the way”.
Once you have these sorts of conversations going you begin to understand how the business actually functions on a day-to-day basis. It’s at this stage where you can be influential and change perception.