Have you ever considered the fact that the “best place to work” is something a security chap should take into serious consideration?
A lot of people keep thinking that security is all about one of that technology, most of those expert master perfectly one of another specific technology and think they have the sacred graal of security.
Since I am not so a big tech expert I am allowed to think that security isn’t in that specific technology, but in a systemic approach where technology cover just one part, and is just a part of a whole process.
One of the aspect that is so often forgotten when we talk about security is that most of the incidents in the security realms comes from mistakes, honest mistake.
A mistake can be due to several reasons:
- a not clear set of instruction (alas we are still far away from the KISS – Keep It Simple Stupid – statement, isn’t it?)
- a not clear process (I have to do what?)
- lack of knowledge
- lack of attention (I have too much to do …)
- lack of committment (Why should I care)
- …
Mostly a composition of all those points.
Uselessly complex processes, esoteric instructions, language for “believer only” are just a part of normal security implementation.
Another big part is played by lack of understanding, knowledge is not just related to the internal process in place, but should be extended to the basic security elements that too many in the corporate environment (also at the highest levels) just does not understand.
concepts like social engineering, vulnerability, privilege escalation are just tapestry in the CEO office not real understood concepts.
Due to this underestimation of the basic of security it is not a surprise how few attention is given to the relationship between a satisfy employee and a pissed off one.
Why an unhappy employee is a cyber security risk is strictly related to higher level of attention and commitment to cyber security needs of the company. If you are unhappy you will be less prone to listen and understand, and if you sum to this attitude the ridiculously complicated rules that sometimes the company put in place, the result is devastating.
I am not talking about the unhappy employee that willingly want to damage the company, but I am talking about all those that do not care enough to take a proactive approach in security.
Security is, at the very basic, all about your attitude and behaviour. we can cover and patch element through technology and processes, but the user will remain the key point of any security implementation.
It is not a case that social engineering, phishing and other techniques target the users to breach into a company.
Lack of knowledge (therefore lack of training) and unhappiness are the perfect mix to lower employee attention level and give the key to an attacker, even if this is not the employee intention or will.
Let us be clear here, there is not a security technology at the moment that can guarantee 100% security. there is not even a process that can guarantee that kind of security. We are still at the Neanderthal phase of cyber security but now is time to realize that without a holistic approach that take into accounts all the components, people among them, we will lose the battle.
So CSO, CISO and all the security concerned guys should become advocate of employee happiness and employee knowledge, for they our own good.
Nessun commento:
Posta un commento