Current and former employees were found to be the biggest source of information breaches globally according to the Global State of Information Security Report in 2016. Information Security, for all the technology that is available, is to a large extent, a people concern.
Infosec technology can only go so far in mitigating the risk of a costly information security breach. And the costs can be huge. Not only is there a risk of fraud to your organisation and to its customers, there is also the immeasurable cost to your organisation’s reputation. Do you want your organisation to be known as the one that accidently supplied customer data to a hacker who then was able to access their bank accounts?
The risk of not having adequate security in place to protect data is high, but there is a balance to be found. Turning up technology security features so much that it makes life difficult for employees is going to hit your organisation hard too and risks alienating the very people who can help reduce the risk. That’s where partnering with your organisation can play a crucial role.
Instilling good practice, attitudes and behaviour in employees towards Information Security can substantially reduce the risk, However despite “controlling” for awareness through various audits, reviews, education, policies and procedures this can only go so far. You’ll have passed the audit but will you have reduced the risk?
First of all, communication is key and a good starting point that sets some solid foundations. Communicating to employees through education with “off-the-shelf” training and learning management packages is still a one-way process.
Infosec measures are counter-productive if they protect data but stop employees doing their jobs effectively and the way communication is done to them can be alienating. In addition people feel dis-empowered by not having their voice heard in how policy, procedures and technology are implemented.
As a security specialist, you will benefit from understanding how the business functions and makes its money, and by listening to concerns from the people who make this happen. Why? Because often, infosec solutions is about finding the balance between high security tools and the productivity needs of employees. In other words, managing RISK. An effective infosec specialist needs a full understanding of the business as well as skills and knowledge in infosec technology; to help understand where the most effective application of technology is needed, and also where “people power” is needed. In the end we don’t make technology decisions on behalf of our colleagues, we empower them to make a decision about RISK.
Along the line between high-end security measures and employee enablement lies several points at which appropriate infosec solutions occur. The job of the IT Business Partner is to present these solutions, and through discussion with stakeholders, agree on a solution which fits the organisation’s aims while minimizing risk of an embarrassing and costly data breach. This solution may carry some element of risk. Your job, in collaboration with others, is to ascertain what is an acceptable level of risk.
From infosec awareness to engagement
Great information security needs to go that one step further. Are we listening? To move on from employee awareness to employee engagement, communication needs to be two-way. We find relationships are cultivated, understanding increased, and better engagement happens when we listen to the concerns of our colleagues and identify ways on how you can enable them to do their job and be better infosec citizens. Working with employees, rather than just being known as the guy who always says “no” is key to developing an optimised infosec policy.
Collaboration does not stop once the policy has been rubber stamped and adopted. Getting input from colleagues on how it is formulated may even reduce the need for the technology in the first place. To make Information security an ongoing part of your company’s culture, employees can be nominated to be ambassadors for and to digital security. Having a way for an employee to report concerns is good, providing understandable information about the risk of IT security breaches and options on how to mitigate them is better. Empowering them to make decisions is best.
Information security is a holistic issue that is people-oriented as well as technological. Great Business Partnering can optimise infosec to suit both the security needs of the organisation and the people who have to navigate the systems to do the everyday that keeps the business going. Engagement is key.
Find out more about our Infosec Awareness Programme
In 2015, Jon Baxter spoke at the ESRM Conference about the issue of Infosec and how it applied to our work with Euronext.