Posts

Week 10: Avoiding Security Control Creep

During class discussion this week, one of my peers mentioned that their company seemed to be in an ever-increasing spiral of thousands of applicable security controls. As information security professionals, we often focus on complying with industry best practices to the greatest degree practical, but we need to keep ourselves grounded in the truth that policies are only useful when they are widely understood. Even if the information security department has a strong understanding of the controls in use, it is an uphill climb to effectively educate the rest of the organization. For example, project managers are responsible for bringing some sort of change with each project, and if they cannot understand the applicable security policies then it is very possible that they could end up introducing a vulnerability that the policy should have handled. This same risk extends to the user base: if they don’t have a clear understanding of the security policy, then their behavior won’t be cons...

Week 9: Selling Security Education, Training and Awareness Programs to Users

I’ve frequently heard users complain to one another about the relevance, timeliness, or applicability of the training they just completed while on a break after a mandatory organizational SETA session. As cybersecurity professionals, we understand that SETA programs are a vital part of an organization’s information security posture. Verizon’s survey of databreaches shows that years of SETA programs are having an effect, helping make users more resistant to the temptation to click malicious links and more likely to report them during security audits. However, these connections are not as obvious to our users, who see SETA content as competing with work activities more tied to their core business functions. There are a few tricks I’ve found to help users take SETA training more seriously. First, by tying information security to the core organizational mission. If you can demonstrate to your users that the impact of the time spent learning about information security benefits the ...

Week 8: Bring Your Own Device Policies and Users

Bring your own device policies are another area of information technology where security professionals can find their best intentions stymied by users’ attempts to work around policies that don’t consider the user experience first. This came up in conversation with a classmate recently, and there are two primary cases where users circumvent BYOD policies. First, due to a shortage of resources users may not have access to organization-provided mobile devices. Second, users may prefer using their own devices because the organization’s provided devices are old, have an interface the user is unfamiliar with, or are inconvenient to carry or use. The latter case played out in the most recent US Presidential election, with one candidate’s use of her personal IT system rather than the approved government system during her time as Secretary of State becoming a major campaign issue. While most of us don’t need to worry about this level of exposure, either scenario can easily inspire users to...