General Douglas MacMarthur said “never give an order that can’t be obeyed”. This is sound advice, as doing so can diminish the commander’s authority. If people want to do what you are asking them to do, but can’t, they would doubt your judgement in the future.
Despite the fact that most of us operate in commercial organisations rather than the US Army, there are some lessons to be learned from this.
Security professionals don’t need to rally their troops and rarely operate in command-and-control environments. Their role has largely shifted to the one of an advisor to the business when it comes to managing cyber risk. Yet all too often advice they give is misguided. In an effort to protect the business they sometimes fail to grasp the wider context in which it operates. More importantly, they rarely consider their colleagues who will have to follow their guidance.
Angela Sasse gives a brilliant example of this when she talks about phishing. Security professionals expect people to be able to identify a phishing email in order to keep the company secure. Through numerous awareness sessions they tell them how dangerous it is to click on a link in a phishing email.
Although it makes sense to some extent, it’s not helpful to expect people to be able to recognise a phishing email 100% of the times. In fact, a lot of information security professionals might struggle to make that distinction themselves, especially when it comes to more sophisticated cases of spear phishing. So how can we expect people who are not information security specialists to measure up?
To make matters worse, most of modern enterprises depend on email with links to be productive. It is considered normal and part of business as usual to receive an email and click on the link in it. I heard of a scenario where a company hired an external agency and paid good money for surveying their employees. Despite advance warnings, the level of engagement with this survey was reduced as people were reporting these external emails as “phishing attempts”. The communications team was not pleased and that certainly didn’t help establish the productive relationship with the security team.
The bottom line is that if your defences depend on people not clicking on links, you can do better than that. The aim is not to punish people when they make a mistake, but to build trust. The security team should therefore be there to support people and recognise their challenges rather than police them.
After all, when someone does eventually click on a malicious link, it’s much better if they pick up the phone to the security team and admit their mistake rather than hope it doesn’t get noticed. Not only does this speed-up incident response, it fosters the role of the security professional as a business enabler, rather than a commander who keeps giving orders that can’t be obeyed.
I’ve been nominated for a Security Serious Unsung Hero award in the Best Educator category. This will be awarded to a professor, lecturer or teacher who leads by example to inspire and motivate the next generation of cyber security professionals. I’m humbled to be considered. Thank you!
Join me at the event.
Over the past year I’ve worked as a core part of the KPMG’s Global Cyber Strategic Growth Initiative as the lead for service development activities, with a focus on working with member firms to deploy capabilities in order to ensure consistent delivery and quality across key growth areas.
I was responsible for the roll-out of cyber security services that included developing sales and delivery accelerators, accreditation requirements, learning pathways, vendor ecosystem and quality and risk management principles across EMEA, APAC and Americas.
To achieve this, I created a service development framework and worked with numerous stakeholders across the firm’s network: global deployment, service development leads, acquisition leads, risk management and key member firm cyber representatives and regional leads.
I also developed a method for the in-country adoption of deployed capabilities and supported both global and in-country risk team members in the evaluation of risk when taking services for client use.
I ensured the sustainability of deployed capabilities through the implementation and use of delivery frameworks and tools, and assigned ownership for the upkeep of deployed capabilities. I worked with member firms to promote the adoption of prioritised services; developed adoption timelines and targets for deployed service.
One of the existing aspects of the role was alliance, acquisition and investment integration support where I collaborated with the relevant stakeholders to deploy and embed offerings obtained through alliances to member firms while monitoring progress against agreed budgets, milestones, deliverables and benefits for capabilities being deployed.
By the end of the programme, I deployed Cyber Maturity Assessment, Identity and Access Management, Industrial Internet of Things Cyber Security, Privacy and Cyber Incident Response services to 19 countries around the world.
This resulted in achieving significant revenue and market share growth for cyber security services of my firm globally. KPMG International was also named a leader in information security consulting services in 2016 and 2017 according to Forrester Research.
As David Maister famously puts in his timeless book The Trusted Advisor, “it’s not enough to be right, you must also be helpful”. You first need to earn your client’s trust, and with it, right to offer advice and be critical of the way things are right now.
What do clients want? You need to demonstrate that you understand them and you are transparent with them. It’s unhelpful to try and bamboozle your clients with jargon and numbers, instead tell what these numbers mean for them.
Consulting has traditionally thrived on information asymmetry: consultants used to know more than clients but this is going away. Not only do we need to shift to provide insight rather than just information, we need to disrupt our own industry to remain relevant. I’m talking, of course, about automation.
Yes, there will always be cases were clients hire consultants when they have already made up their mind and just want to rubber stamp their agenda. But these situations are becoming rare.
From my experience, clients are increasingly reluctant to pay for glossy PowerPoint decks. Managed services and post-implementation support might be some viable options to remain relevant and, therefore, profitable.
The Psychology of Information Security – Resolving conflicts between security compliance and human behaviourPosted: November 26, 2015
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:
- Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
- Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
- Give advice on aligning a security programme with wider organisational objectives.
- Manage and communicate these changes within an organisation.
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
Information security professionals not only have to deal with change, more often than not they represent change. It might be changing the way a company manages access to its systems, works with third-parties or anything else.
To be effective with the change management process, security professionals should work with the business, demonstrating the value of security.
John Kotter in his book Our Iceberg is Melting tells a story about a penguin colony, which demonstrates basic principles of successful change management:
- Establish a sense of urgency
- Create a guiding coalition
- Develop a change vision
- Communicate the vision for buy-in
- Empower broad-based action
- Generate short-term wins
- Never let up
- Anchor new approaches into the culture
I just returned from my trip to Bangalore, India, where I was asked to deliver a series of training activities to the KPMG offshore teams. Spending a week there came with lots of wonderful insights.
First of all, India is a beautiful country. I didn’t really have a lot of time to travel around, but I still had a chance to visit the Bangalore Palace, drive up and down the Mahatma Gandhi Road, see the Parliament and many beautiful parks.
Moreover, apart from delivering training sessions myself, the local leadership organised a presentation for the UK team, where we were described the services they offer globally. I was impressed by the level of innovation and standardisation, which clearly demonstrate the rapid technological growth in India.
I’ve had a chance to work with some of the marvelous members of our offshore team before, and it was very valuable to finally meet them in person. I had an opportunity to interview a few people for a position in my programme and we are already on-boarding the successful candidate.
Not only I was able to share my knowledge and meet some lovely people, but I could enjoy a brief but wonderful taste of India and its warm hospitality. I’m sure the effectiveness of our communications and project work will increase substantially in going forward.