The information security industry is as much a victim of trends as any. From the early messages around antivirus deployment to, more recently, the shift from so-called end-point products (such as firewalls) to a more holistic view of security, the industry has faced constant reinventions and the odd identity crisis.
The latest fad is the move away from a technology focus towards the recognition of the ‘human factor’ in IT security.
“Technology is essential to security, of course, and increasingly so, as we learn to apply its leverage to manage our growing business and security problems. But technology is designed, implemented and operated by people,” explains David Lacey in his new book, Managing the Human Factor in Information Security. “The fact is that security and risk managers can now learn more from psychologists than from technologists.”
What should be a resoundingly obvious argument is nonetheless not one you often hear, even among many of the industry’s most austere experts. ‘Human factor’ solutions are a far harder sell than the technology tools applied to many information security problems.
A veteran chief security officer with more than 25 years’ experience setting the security agenda at organisations such as Shell and the British Foreign Office, Lacey can justifiably claim to be an authority on the subject, and his writing merges professional authority and anecdotes with a healthy degree of optimistic common sense.
For him, the human factor is an interesting conundrum deserving exploration, not a problem to be ‘patched’ with technology.
“Security professionals have long acknowledged the importance of the human factor in safeguarding business and personal information from hackers, spies and fraudsters,” Lacey says. “But in practice, we’ve rarely paid more than lip service to it.
“Our best practices have been little more than the occasional leaflet or an assortment of uninspiring intranet pages,” he adds. “That needs to change.”
Recent legislation around data protection means that pleading corporate ignorance is no longer an excuse. “In the past, if you could get away with it, ignorance was a much safer option. If things went wrong, you could always put your hands up, act innocent, and sack the IT or security director,” Lacey says. “But then along came the Sarbanes-Oxley Act of 2002, which heralded a wind of change through all corporate boardrooms.”
Much of the security threat comes from outside the organisation, and Lacey gives a broad overview of crime rings, the market for data and ‘the bad guys’. But the ‘insider threat’ is significant too, and that is Lacey’s key focus. He pays particular attention to new media such as social networks that may be deemed useful by the business, but are fraught with danger for IT security.
“[Social networks] resist dominance, they erode the traditional, hierarchical power bases in organisations,” Lacey writes. “Social networks are disempowering head offices and corporate centres, weakening the influence of corporate security policy in organisations.
“As information security managers,” he adds, “we need to understand how to influence and harness these personal relationships if we are to be successful in harnessing the benefits of these new ways of working.”
During discussions ranging from running successful awareness campaigns to effectively wielding the politics of an organisation, Lacey consistently returns to his theme: security is a problem of psychology as much as it is one of technology.
This turns what could otherwise be quite a dry tome into an engaging read. Lacey launches from highly technical subject matter into crowd psychology, hypnosis, the Forer effect (explaining why horoscopes work) and the art of creative thinking. The thoughts of leading security experts are interspersed with those of Inspector Clouseau, Shakespeare, infamous showman and hoaxer PT Barnum and even Douglas Adams.
The occasionally blog-like tone of his prose and his tendency to rocket from one seemingly unrelated subject to another is no obstacle to lucidity, but more a symptom of a man who generates ideas faster than he can write them down. Which is fair enough, as Lacey endeavours to do nothing less than to understand the human condition in the context of information security. “Your mind will probably be spinning from the mass of theories, ideas and opinions,” he states, somewhat perceptively, in his conclusion.
Managing the Human Factor in Information Security. By David Lacey. Published by Wiley. ISBN: 9780470721995. Price: £29.99