I like technology, but I prefer people.
Information Security is a broad discipline and often there is a need to describe what the function represents. There is still a huge misconception that it’s all technical – network sniffing, flashing lights on motherboards and defending in real time at the keyboard against attackers; yes the media has a lot of blame to take on this one, but then again so do we. Have we done enough to prevent the fallacy that us Information Security people solely focus on technology?
So, how do I describe it? Infosec is a balance of People, Processes and Technology; and in my opinion it’s in that running order. My description is not unique, but it’s the representation that I go by and really demonstrates how extensive we have to be. The order is very important as it helps position Infosec within an organisation, and it should help to challenge where the Infosec reporting line should be within a business.
We aim to solve our security problems at the People layer first and foremost, using awareness and providing guidance. We maintain engagement with the most valuable assets within an organisation, the people. We work with our people so they can identify risk, be it that phishing email, or that door left wedged open. When you think about it, Infosec do ask a lot from people, a good security culture relies heavily on the people, but this delivers the most successful outcome in reducing risk to the business. They pause, they question, they escalate where necessary, they are empowered to make the correct informed decisions – People are the first resource we look to protect and the first protection mechanism we look to utilise.
Second, the processes. They are there to help the people and the business navigate safely, and to operate securely with minimal risk – for example compliance with GDPR. Yes we need policies, processes and procedures for GDPR; but they are authored and put in place to provide support, guidance, and bolster our support towards our people so they have reference in the context of the business when collecting, processing or storing personal identifiable information. The processes are most certainly there to support the people and must be embedded within the security culture as a positive and an enabler, not a set of documents that are a lead weight, restrictive, confusing to digest resulting in a negative outcome.
And finally it’s Technology, where there are no alternatives and all else fails we propose the use tech, which can often be expensive to buy, expensive to run and expensive to maintain; plus never fool-proof or the complete remedy to that security problem. For automated protection or trawling through gigs of security event logs to name a few, then technology is the answer. But it should always be the last resort when a security control is required.
I like technology, but I prefer people, I like protecting people and their information, I like helping prevent people from making security mistakes, I like working to assist people if they have made a security mistake, and there is no doubt today that people do a much better job at spotting a security risk and dealing with it than the latest artificial-intelligence-quantum-computing-ready-automated security technology.