IT Security - “Failure to see” or Failure to Act?

In a recent AustCert conference it was expressed to the CSO Editor that many struggled with "How to actually affect change in IT security behavior”. And not just "raise" awareness.

From my experience it is often a failure and oversight that leads to a major issue. The major risks are usually in large enterprises well documented and even known - Why then is it that we don’t act?

Is this a failure to see? Perhaps a failure to act? Or worse still both failure to see and act?

Getting Numb

Many in IT Security have been on this gig for some years, it is not a place that one typically goes for a short period of time. It tends to attract a certain kind of IT Professional that has an interest and aptitude for this arena.

Very thick skin is required as there is always resistance from various IT parties and partners. My belief is that all this daily interchange starts to make the IT Security professional a little numb and accepting too much of risks on his\her own shoulders.

At other times, the role of the IT Security Manager is to raise risks and “cry wolf”, unfortunately while courage is a required attribute it soon runs out. As a diligent IT Security Manager you will have to go into battle often and how others respond to you has a real impact.

This is not about overt resistance but often the passive silence that can be just as unnerving.

Top down Thinking

I recall a story where I was the CIO and also Chief Privacy Officer for a $1B company and with my hybrid Business and IT team we had to tackle a number of behavioural issues.

The situation was:

1) less than 20% training compliance for IT Security and Privacy training. The approach was old school antiquated and there was no teeth to enforce.

2) We operated in 50 offices, and most of these did not comply with physical or logical security. As such PC’s were left logged on, passwords shared, laptops not locked away, desk drawers and printing \ faxes left around, filing cabinets unlocked.

Gamification with Teeth

As we were in Japan, I could access some great game developers and we decided that we would start off with a complete overhaul of the training. All staff were told that this is now mandatory with an online verification and to pass they would have to complete a 10 minute game.

Red Pig, Yellow Pig and Green Pig – as you wandered around your office you had to comply with the policy to lock drawers, filing cabinets etc It was a simple game and actually a little fun.

The result we had 100% compliance even for our 1000 sales reps, who are always too busy to take the test, that this worked. While there was some level of threat and demand that the training be completed by a certain date, this was still quite an amiable level.

Once all staff were trained which was completed within two weeks. We then embarked on stage 2 – adding the teeth.

Pig Hunting

My team embarked on dawn raids across all our offices, still were unannounced and we walked the floors looking for non compliance to security. Where laptops were left out, drawers unlocked or office’s we entered and left a Red or Yellow Pig Sticker.

We also recorded the location of the offender against the floor plan. This was later shared in full detail at Exco with followup in the ensuring months. While the sticker idea looked ‘light’ it also carried with it a warning that a repeat offence would result in a HR Warning Letter.

As we had left no prisoners, even the CEO had left his office unlocked and his EA was not that happy.

We taught, we saw and we corrected

The success of the program was all about changing behavior and making it part of the culture what was acceptable and what wasn’t.

There was unambiguity and it was clear that within 6 months that were weren’t going to change. In fact we had agreed that we would start to get even more stringent.

For instance, the team started to check were the multifunction printer and scanner being flushed every day so that there was not sensitive data left behind.

Leadership is what matters

The engagement of the team into the activities was strong and they progressed from wondering why were they invited into this activity through to taking full ownership and accountability.

I never heard or witnessed any angry response from any of the non-compliant persons. They all understood from the ‘game’ what their responsibilities were and had to take this on the chin.

In the end this is about getting real ownership of security to where it matters. And that is with the staff who use systems and processes.

So where are you, do you have a failure to see? Or failure to act??

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags Green PigPig HuntingJapanchief privacy officerIT SecurityCSO EditorDavid Geesecurity proceduresAustCert #AusCERT2015CSO AustraliaFailure to ActgamificationRed PigYellow Pig

More about CSOIT SecurityTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place