In today’s large corporations, one would say that information security managers have a lot on their plate. In addition to having to face major and constantly evolving cyber threats, they have to comply with numerous laws and regulations, while protecting the company’s assets and mitigating risks as best as possible. But do they know what this means to the average employee within the company?
People’s behaviour is goal-driven, and the employees’ behaviour is no exception. They usually follow the rules willingly while trying to comply with the security policy, but, at the end of the day, their objective is simply to get their work done. Though there might be cases of employees who’s malicious goal is to intentionally violate security policies, an accidental breach will most likely result from a poor implementation of controls. Here is where the information security managers’ job gets interesting. Once they rule out the possibility of an insider attack, they should focus on identifying where and how the design and implementation of the security policy forced the employees to find workarounds.
Usually, there is a huge gap between the employees’ perception of security policies and the security managers’, which negatively impacts the organisation as a whole. On the one hand, security managers assume that they have made all the relevant considerations pertaining the needs of the employees and their working environment by regarding them as part of the system. On the other hand, however, it’s not uncommon to hear dissatisfied employees complain about how they feel that security controls hinder or impede their performance.
Let’s consider the following scenario:
In an investment bank, a security manager came up with a policy document, outlining a list of authorized software, which can be installed on computers according to principle of least privilege – people should only have the access they require to perform their day- to-day activities and no more. All employees were denied access to install any new software without written permission from a security manager.
John is performing a report for the client. The deadline is fast approaching but there is still a lot of work to be done. The night before the deadline, John realises that in order to finalise his analysis he requires special data analysis software, which was not included in the list of authorised programs. He is also unable to install it on his workstation, because he doesn’t have the required privileges to install new software. Getting the formal written approval from the security manager is not feasible, because it is going to take too long. John decides to copy sensitive information required for the analysis on his personal laptop using a flash drive to finish the analysis at home, where he can install any software he wants. John understands the risk but he also wants to get the job done in order to avoid missing the deadline and get good performance review. Unfortunately he leaves his bag with the flash drive in the taxi on the way back home. He never tells anyone about this incident to avoid embarrassment.
Many things were done incorrectly in the previous scenario. Mainly, the security manager failed to recognise the employee’s needs before implementing the controls.
A general rule of thumb to never forget is that: an employee will most likely work around the security controls to get his work done, to reach his goal, regardless of the risks this might pose.
To address this, the security manager should follow these steps:
– analyse security tasks
– analyse business processes
– identify clashes
– identify cases of non-compliance due to obstruction of core business processes.
– adjust security controls.
Security managers in companies usually lack a clear process to implement security controls in order to ensure compliance with various regulations and standards. There is a trend to take the ISO 27001 Standard as a framework and then make a decision on any particular implementation based on their experience. Such implementations unfortunately run the risk of creating collisions with employees’ business activities. These may result in violation of security policies within the company, because they introduce friction, which employees try to avoid.
It is important for security managers to go beyond ensuring formal compliance and try to actually understand employee needs and their core business activities. They must remember that, in the end, people are the company’s main asset.
Business-oriented information security professional with several years of proven experience in architecture design and project management. Extensive knowledge and practical experience pertaining to analysing and solving governance, risk, compliance, information security and privacy issues.