In a recent AustCert conference it was expressed to the CSO Editor that many struggled with "How to actually affect change in IT security behavior”. And not just "raise" awareness.
From my experience it is often a failure and oversight that leads to a major issue. The major risks are usually in large enterprises well documented and even known - Why then is it that we don’t act?
Is this a failure to see? Perhaps a failure to act? Or worse still both failure to see and act?
Many in IT Security have been on this gig for some years, it is not a place that one typically goes for a short period of time. It tends to attract a certain kind of IT Professional that has an interest and aptitude for this arena.
Very thick skin is required as there is always resistance from various IT parties and partners. My belief is that all this daily interchange starts to make the IT Security professional a little numb and accepting too much of risks on his\her own shoulders.
At other times, the role of the IT Security Manager is to raise risks and “cry wolf”, unfortunately while courage is a required attribute it soon runs out. As a diligent IT Security Manager you will have to go into battle often and how others respond to you has a real impact.
This is not about overt resistance but often the passive silence that can be just as unnerving.
Top down Thinking
I recall a story where I was the CIO and also Chief Privacy Officer for a $1B company and with my hybrid Business and IT team we had to tackle a number of behavioural issues.
The situation was:
1) less than 20% training compliance for IT Security and Privacy training. The approach was old school antiquated and there was no teeth to enforce.
2) We operated in 50 offices, and most of these did not comply with physical or logical security. As such PC’s were left logged on, passwords shared, laptops not locked away, desk drawers and printing \ faxes left around, filing cabinets unlocked.
Gamification with Teeth
As we were in Japan, I could access some great game developers and we decided that we would start off with a complete overhaul of the training. All staff were told that this is now mandatory with an online verification and to pass they would have to complete a 10 minute game.
Red Pig, Yellow Pig and Green Pig – as you wandered around your office you had to comply with the policy to lock drawers, filing cabinets etc It was a simple game and actually a little fun.
The result we had 100% compliance even for our 1000 sales reps, who are always too busy to take the test, that this worked. While there was some level of threat and demand that the training be completed by a certain date, this was still quite an amiable level.
Once all staff were trained which was completed within two weeks. We then embarked on stage 2 – adding the teeth.
My team embarked on dawn raids across all our offices, still were unannounced and we walked the floors looking for non compliance to security. Where laptops were left out, drawers unlocked or office’s we entered and left a Red or Yellow Pig Sticker.
We also recorded the location of the offender against the floor plan. This was later shared in full detail at Exco with followup in the ensuring months. While the sticker idea looked ‘light’ it also carried with it a warning that a repeat offence would result in a HR Warning Letter.
As we had left no prisoners, even the CEO had left his office unlocked and his EA was not that happy.
We taught, we saw and we corrected
The success of the program was all about changing behavior and making it part of the culture what was acceptable and what wasn’t.
There was unambiguity and it was clear that within 6 months that were weren’t going to change. In fact we had agreed that we would start to get even more stringent.
For instance, the team started to check were the multifunction printer and scanner being flushed every day so that there was not sensitive data left behind.
Leadership is what matters
The engagement of the team into the activities was strong and they progressed from wondering why were they invited into this activity through to taking full ownership and accountability.
I never heard or witnessed any angry response from any of the non-compliant persons. They all understood from the ‘game’ what their responsibilities were and had to take this on the chin.
In the end this is about getting real ownership of security to where it matters. And that is with the staff who use systems and processes.
So where are you, do you have a failure to see? Or failure to act??