Questioned by Computing at the Infosecurity Show, Phil Cracknell, global security and compliance director at Yell, advocated being creative rather than prescriptive when it comes to changing user attitudes. Cracknell said: “It’s about having a workforce and contractors who deliver value to your business but understand why information is important and think more carefully about keeping it secure. Our education programmes and videos, which we distribute virally, aren’t prescriptive. They contain humour and really make people think about the value of the information they are handling. You can’t just say ‘thou shalt not do X’ – it just doesn’t work.”
Peter Gibbons, head of information security at Network Rail, agreed, adding that it was equally important to persuade senior non-technical managers of the need for, and value of, robust information security.
“You need to articulate any risks in their language, based on business-specific objectives. And you need to be able to show evidence of likelihood. If we say something could happen, we need to demonstrate why we think that’s so. That means being fairly specific about where a threat is coming from. It is no use talking about some vague amorphous blob on the internet that may or may not come to get them.”
In terms of technical protection, among many leading organisations there has been a swing away from simply protecting the perimeter of the organisation towards focusing on protection of the most sensitive data.
Balancing flexibility and security
Leading IT strategists now generally recognise that there are compelling potential benefits to be had from allowing users to work on their own preferred devices, applications and online services wherever possible. These include improving agility, workflow, collaboration, productivity and the organisation’s ability to attract the best talent. Ring-fencing certain data and limiting its use across particular networks, in particular locations, or on devices that aren’t securely configured, is one way to do this – but less restrictive solutions need to be developed. Likewise, cost and agility factors now outweigh security fears for many businesses when it comes to the use of public cloud services – but again it’s important to draw the lines about what data or applications you’re prepared to let outside of your organisation – and how rigorously you need to protect it.
There’s no “one size fits all” answer, of course – it all depends on the enterprise’s sector and priorities. Lockdown is still the favoured approach in industries where security concerns are paramount, such as financial services. The key to building a successful security strategy for the future is to keep analysing the changing risk profile against an organisation’s priorities to ensure security controls are appropriate and proportionate. Security should strive to be an enabler of effective business, not just a black hole of spending or a compliance burden.
But however you cut it, the days of smoke and mirrors, at least, are surely numbered – and for that we may end up thanking the hacktivists.