IT security shouldn't be 'because I told you so' - consult employees on policy, agree industry panel

End user skills and knowledge should help your course, not be a barrier

IT security shouldn't be dictated from on high, as trusting and involving employees helps to nurture a greater security culture, an industry panel representing leading banking, media, engineering and security solution firms have agreed.

Speaking at Computing's 2016 Enterprise Security and Risk Management Summit today, Anton Karpov, CISO at Yandex, Russia's largest search engine, suggested that security "shouldn't be because I told you so".

Speaking as the CISO of a firm composed of many technically-proficient employees, Karpov said that involving skilled and savvy people in security culture is an easy win, but requires trust.

"It's important to explain why you have certain rules or systems deployed, but you need to realise that technical people are open to coming to you and telling if something is wrong. I'd say it's important to be able to trust your engineers and employees," he said.

News UK's head of information security Munawar Valiji revealed that his firm leverages employee insight in a different way, using news and current affairs awareness to lead the security message:

"Dealing with privacy and data security, we bring together, effectively, a [company] brand to be safe and secure.

"So rather than simply telling users to be secure, we also have them leave the company with the same message, and we make it very personal to them around using the sheer weight of evidence in the news, such as the recent Tesco bank hack, for example.

"News UK needs the cultural element of the organisation in terms of willingless to engage and make employees aware. That's the cornerstone, and forms a core work stream. Being a media organisation we're not required to have the same sort of control as a bank - it's a different ball game in terms of regulation expectation. It's about finding a balance."

News UK doesn't need to "be too heavy in terms of technical expectations", and can instead lead with a cultural message, he said.

Head of information security strategy and architecture at RBS Stephen Khan observed that - as a bank subject many regulations - the core challenge is overcoming the "barrier" of explaining the risks to employees.

"It's a very simple thing - whenever you ask a human being to give one click or two clicks, there's always a barrier - they always want to know why they have to do this."

Khan's solution is to engage the whole business together - all stakeholders - in "workshops and groups".

"What we've done is create marketing collateral against certain stakeholders, and what impact and value it creates for the bank moving forward. The ongoing value is something we articulate from the beginning. [In the past], we've seen technology delivered, but people not engaging with it. You need both technology and engagement to find success."

Security solutions vendor Darktrace's account manager Sam Alderman-Miller reflected that his firm "often gets asked for advice" about employee security culture.

"We've certainly had both ends of the spectrum - I've had IT screaming from the rooftops about having Darktrace in play, and on the other side they've gone under the nose of the CTO to try and deliver that hard-hitting business case.

"I agree it's not just about technology - but tech is also driving us away from a culture of apathy. It's a part of our working lives now."