Implementing InfoSec Programs: A Guide From The Trenches

Information security technologies are today being deployed at an extremely rapid pace within enterprises. The speed at which however these technologies get adopted and deliver value is slower than expected. Having worked with numerous enterprises from 20 people to 200,000 people what we want to share here is set of lessons about what makes security initiatives “tick”. Most of these have very little to do with technology itself.

1. Security And Humour:

The business of security is treated far too seriously. In the context of security awareness, our jobs are not very different from the folks who are trying to sell soaps and insurance i.e. there has to be something which makes the idea stick. For a rather “boring” topic like security, we have found humor to be the best capsule to deliver the message. Humor brings together people, encourages sharing over lunch table. In some cases we have seen security awareness campaigns delivered with humor actually become ice breakers in board communications also!

2. Security As An Enabler:

Q: Why can Formula 1 cars go fastest?
A: Because they have the biggest brakes!

The idea of brakes enabling cars to go faster is not very easy to digest since accelerators are usually associated with going faster. What really helps is if the organisation can position security as an enabler and not as an inhibitor. For example, an online banking multi-factor authentication system can be positioned as an additional security measure (security as a method of “protecting”) OR it can be positioned as a way to enable large online transfers which would otherwise not be possible (security as an enabler). The question which every security initiative must answer is “What does this enable us to do?” Another example from real life experience is as follows:

The organisation is one of Europe’s largest financial fraud investigation agencies. To investigate fraud it required subject matter experts to come in from various parts of the world and help in the analysis. All information related to the investigation was extremely confidential. Using a state-of-the-art Information Rights Management system the organisation was able to share confidential information with all kinds of external experts without requiring them to physically come in to a central location thus helping in reduced delays and travel. It also retained control of the information when it was in “unmanaged” computers belonging to different people. This is an example of security technology “enabling” collaboration which would otherwise be very difficult.

3. Security Linked To Rewards And Recognition:

Rewards and recognition have helped a lot of causes and information security, in that sense, is not different. Starting with mentions and profile on the intranet home page for the “Security practitioner of the month” to movie tickets and even monetary rewards go a long way in driving the point home. The tom-tomming of the award has to be equal if not bigger than the award itself and all methods like internal newsletters, websites, posters etc. can be used to profile the person.

4. Security As A Logical Step And Not A Top-Down Mandate:

A lot of times information security is not practices because it is not explained. Processes and technologies are put in place without really explaining the pain / risk being handled, the process of selection or any meaningful debate. This makes information security being perceived as something that “they” want, not something that “we” want. What we have seen helping a lot is a meaningful explanation of the problem and taking the “audience” through the process of discovering the solution backed with data. A content filtering system suddenly put in place has a high chance of being perceived as a “control freak” system. In a few cases, some organisations have actually shared (shocking) statistics of the amount of time people are spending on non-work-related websites, the amount of bandwidth consumed by video / music websites or even just publishing the top 50 traffic generating websites for the company. Once this context is set, the “answer” can be discovered by everyone.

5. Security As A Practice:

a) Detailed descriptions of security initiatives being sent via unencrypted email while the clear directive is to encrypt all confidential information.
b) Senior management bringing in personal devices and iPads to business meetings while the clear directive is to not allow personal devices for corporate data.
c) Security personnel “tail gating” into the server room.

All of the above are real life experienced scenarios which ring a death knell to security initiatives. Security, just like charity, begins at home.

6. Security Extended To The Value Chain And Not Only The Enterprise:

Last, but not the least, it is important to realise that today’s organisation operate under no particular “perimeter”. Confidential information passes through every perimeter defined on the basis of devices, networks, applications, personnel, location… Security initiatives which are focused on increasing security “within” are necessary but far from sufficient. Acknowledging the security is not an organisations initiative but an “ecosystem” initiative is important. In this context, security initiatives need to extend to outside the organisation and into vendors, partners, customers and even government bodies. If you send your confidential data to your lawyer and he looses his laptop, your data will still get compromised. Acknowledging this fact and investing in “borderless security” technologies and processes can drive up awareness and adoption.

A lot of the stuff here is obvious when read but not terribly obvious when every day we are being bombarded with hype about the next big technology trend. These lessons however can make the critical difference between the “product being deployed” and the “solution delivering value”.

The author is CEO, Seclore.