Confessions of a Security Optimist
I first noticed my new malady at Secure World Boston. I participated in a panel discussion on data protection. As my fellow panelists and I attempted to address the questions from the audience I found many strange comments flowing from my mouth. There I was, cantankerous security engineer, extolling the virtues of user education.
Now in my own defense the argument did make sense, but I think the fact that I’m currently agreeing with this other self is why it bothers me so much. I’d be happier if I could blame it on something I ate or perhaps dive into a paranoid rant about someone spiking my morning coffee. Seems now that neither of these are the case.
So you ask, what is this stance I took that has me so perplexed? Well it is based in two well known security adages. The first being “Security is a weakest link problem.” I think we can all get behind this one. Attackers will attempt to expend the least amount of energy possible to exploit a system. The second tenet on which I based this argument is “Users are often the weakest link in security.” Putting these two together and it is easy to see that some focus must be on the end user when discussing security.
So how do you secure people? Well most people will tell you that security should be transparent to users. I will agree with that in most instances, but what about when this isn’t possible? What about when you have to rely on the users to do the right thing? Why shouldn’t they write down passwords? Why shouldn’t they email credit card numbers? The only way to get buy in from users on this is to educate them on why they need to adhere.
Too often security is perceived by the end user as an impediment. The cross they must bear because the angry techi in the black t-shirt said so. What would happen if they were educated? What would happen if users felt empowered to contribute to security? What if we helped them see the value in good security versus the proverbial “shoving it down their throats”? Would we perhaps see more compliance with policy?
I know many will buck this idea as too insane to work. I understand that. I found myself completely at a loss when I first started down this path during that panel discussion. However, I was once told that the reason for software bugs was because developers and testers are lazy. Many managers believed this to be true (and still do?). I know from traveling around the world teaching developers and testers about security that laziness is not the only the reason. Developers do care about software quality and want to do the right thing. Perhaps can the same be said of users?
- John
Print
Now in my own defense the argument did make sense, but I think the fact that I’m currently agreeing with this other self is why it bothers me so much. I’d be happier if I could blame it on something I ate or perhaps dive into a paranoid rant about someone spiking my morning coffee. Seems now that neither of these are the case.
So you ask, what is this stance I took that has me so perplexed? Well it is based in two well known security adages. The first being “Security is a weakest link problem.” I think we can all get behind this one. Attackers will attempt to expend the least amount of energy possible to exploit a system. The second tenet on which I based this argument is “Users are often the weakest link in security.” Putting these two together and it is easy to see that some focus must be on the end user when discussing security.
So how do you secure people? Well most people will tell you that security should be transparent to users. I will agree with that in most instances, but what about when this isn’t possible? What about when you have to rely on the users to do the right thing? Why shouldn’t they write down passwords? Why shouldn’t they email credit card numbers? The only way to get buy in from users on this is to educate them on why they need to adhere.
Too often security is perceived by the end user as an impediment. The cross they must bear because the angry techi in the black t-shirt said so. What would happen if they were educated? What would happen if users felt empowered to contribute to security? What if we helped them see the value in good security versus the proverbial “shoving it down their throats”? Would we perhaps see more compliance with policy?
I know many will buck this idea as too insane to work. I understand that. I found myself completely at a loss when I first started down this path during that panel discussion. However, I was once told that the reason for software bugs was because developers and testers are lazy. Many managers believed this to be true (and still do?). I know from traveling around the world teaching developers and testers about security that laziness is not the only the reason. Developers do care about software quality and want to do the right thing. Perhaps can the same be said of users?
- John
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
