IT Governance Publishing named me the author of the month and kindly provided a 20% discount on my book.
There’s an interview available in a form of a podcast, where I discuss the most significant challenges related to change management and organisational culture; the common causes of a poor security culture my advice for improving the information security culture in your organisation.
ITGP also made one of the chapters of the audio version of my book available for free – I hope you enjoy it!
If you would rather listen to an audio while driving, exercising or commuting, this version is for you. The book has intentionally been kept to the point which means you can finish the audio in slightly over two hours. The fact that it costs the equivalent of two cups of coffee is an added benefit.
I know I’m slightly biased here, but I highly recommend it!
I’m proud to be one of the contributors to the newly published Cyber Security: Law and Guidance book.
Although the primary focus of this book is on the cyber security laws and data protection, no discussion is complete without mentioning who all these measures aim to protect: the people.
I draw on my research and practical experience to present a case for the new approach to cyber security and data protection placing people in its core.
Check it out!
Why your staff ignore security policies and what to do about it.
Dale Carnegie’s 1936 bestselling self-help book How To Win Friends And Influence People is one of those titles that sits unloved and unread on most people’s bookshelves. But dust off its cover and crack open its spine, and you’ll find lessons and anecdotes that are relevant to the challenges associated with shaping people’s behaviour when it comes to cyber security.
In one chapter, Carnegie tells the story of George B. Johnson, from Oklahoma, who worked for a local engineering company. Johnson’s role required him to ensure that other employees abide by the organisation’s health and safety policies. Among other things, he was responsible for making sure other employees wore their hard hats when working on the factory floor.
His strategy was as follows: if he spotted someone not following the company’s policy, he would approach them, admonish them, quote the regulation at them, and insist on compliance. And it worked — albeit briefly. The employee would put on their hard hat, and as soon as Johnson left the room, they would just as quickly remove it. So he tried something different: empathy. Rather than addressing them from a position of authority, Johnson spoke to his colleagues almost as though he was their friend, and expressed a genuine interest in their comfort. He wanted to know if the hats were uncomfortable to wear, and that’s why they didn’t wear them when on the job.
Instead of simply reciting the rules as chapter-and-verse, he merely mentioned it was in the best interest of the employee to wear their helmets, because they were designed to prevent workplace injuries.
This shift in approach bore fruit, and workers felt more inclined to comply with the rules. Moreover, Johnson observed that employees were less resentful of management.
The parallels between cyber security and George B. Johnson’s battle to ensure health-and-safety compliance are immediately obvious. Our jobs require us to adequately address the security risks that threaten the organisations we work for. To be successful at this, it’s important to ensure that everyone appreciates the value of security — not just engineers, developers, security specialists, and other related roles.
This isn’t easy. On one hand, failing to implement security controls can result in an organisation facing significant losses. However, badly-implemented security mechanisms can be worse: either by obstructing employee productivity or by fostering a culture where security is resented.
To ensure widespread adoption of secure behaviour, security policy and control implementations not only have to accommodate the needs of those that use them, but they also must be economically attractive to the organisation. To realise this, there are three factors we need to consider: motivation, design, and culture.
Of people and security: To build a working security culture, focus first on empathy and communicationPosted: February 28, 2018
A security department may sometimes be referred to by executives as the ‘Business Prevention Department’. Cyber security professionals, eager to minimise potential risks, can put controls in place that may stifle productivity and innovation.
Cyber security professionals are often too aware of what the business shouldn’t do and forget to mention what it should be doing instead. Ok, USB ports are now blocked, but have we provided people with an alternative to share files securely? Yes, we might’ve mitigated the risk of introducing malware through a flash drive, but have we considered a wider impact on the ability of employees to perform their core business activities, and, in turn, on overall profitability of the company.
Instead of saying ‘No’ to everything, let’s try to understand the business context of what we are trying to protect and why. Because that’s what actually matters and is absolutely key when designing security solutions that work.
People often think that security is the opposite of usability. In reality, the reverse is true. Design and security can coexist by defining constructive and destructive behaviours: what people should and shouldn’t do. Effective design, therefore, streamlines constructive behaviours while making risky ones harder to accomplish.
To do this effectively, security has to be a vocal influence in the design process, and not an afterthought. But it can only regain this influence if the value to the people and business is first demonstrated.
Wondering why your security policies don’t work? Ask your staff! Empathy, communication and collaboration are vital to build a culture of security. Security processionals need to shift their role from that of policeman enforcing policy from the top-down through sanctions to someone who is empathetic to the business needs and takes time to understand them.
Security mechanisms should be shaped around the day-to-day working lives of employees, and not the other way around. The best way to do this is to engage with employees and to factor in their unique experiences and insights into the design process. The aim should be to correct the misconceptions, misunderstandings and faulty decision-making processes that result in non-compliant behaviour.
Changing culture is not easy and will take time; but it is possible. Check out my book to find out more about developing an effective business-oriented security programme and improving security culture in your organisation.
I’ve been invited to talk about human aspects of security at the CyberSecurity Talks & Networking event. The venue and the format allowed the audience to participate and ask questions and we had insightful discussions at the end of my talk. It’s always interesting to hear what challenges people face in various organisations and how a few simple improvements can change the security culture for the better.
It’s been a pleasure delivering a talk on the psychology of information security culture at the SANS European Security Awareness Summit 2016. It was the first time for me to attend and present at this event, I certainly hope it’s not going to be the last.
The summit has a great community feel to it and Lance Spitzner did a great job organising and bringing people together. It was an opportunity for me not only to share my knowledge, but also to learn from others during a number of interactive sessions and workshops. The participants were keen to share tips and tricks to improve security awareness in their companies, as well as sharing war stories of what worked and what didn’t.
It was humbling to find out that my book was quite popular in this community and I even managed to sign a couple of copies.
All speakers’ presentation slides (including from past and future events) can be accessed here.