EDITOR ’ S QUESTION
JASON WHYTE , MD TRUSTWAVE A / NZ
Q + A + Q + A + Q + A + Q + A + Q + A + Q + A + Q + A +
If you want to ensure work practices deliver on cybersecurity , you need to ensure you don ’ t build an environment of fear around it .
While the consequences of a breach can be severe , you should encourage transparency and openness in your colleagues . After all , they are often the front-line in understanding what risks your company is actually facing in its real-world , day-to-day operations .
To quote Frank Herbert ’ s Dune : ‘ Fear is the mind killer ’. It is better for cybersecurity to be boring than terrifying . Fear is also the communication killer and open internal communications regarding your team ’ s business practices is critical to determining where any potential issues lie and then appropriately dealing with them .
The core principle should be ‘ make the secure way the easy way .’ When the pandemic hit and people started using unauthorized cloud services it wasn ’ t because they were being mischievous or wilfully trying to put the company at risk , they were trying to do their job the best they could – and those cloud services were the fast-track to doing that . If the easy way was a secure cloud service that worked for them , there would never have been a problem in the first place .
Prohibitions of certain behavior without thinking about the consequences will almost always go wrong . If you need someone to get a large file from Point A to Point B , but there is no authorized file sharing service and you have also banned USB drives , you ’ re eventually going to have a bad day .
As technology leaders , here are three key points worth following :
a . Understand the work practices of our colleagues , in very practical and realistic terms b . Have an amnesty to get people to ‘ fess up to non-compliant stuff they do without fear of getting in trouble c . Put in place enabling technologies with proper security that address ( a ) and ( b )
For example , if you give someone a popup that says : ‘ Would you like to be secure today , yes / no ’, everyone will click ‘ yes ’. . . unless the implication of clicking ‘ yes ’ is that half their applications don ’ t work . . . in which case they ’ ll click ‘ no ’. Think like them and security and best business practices will follow .
“
A WORK ENVIRONMENT THAT REMAINS OPEN TO LEARNING ABOUT POSSIBLE RISK WILL INVARIABLY REDUCE THAT RISK WHEN IT FINDS IT .
And keep learning at the forefront . A work environment that remains open to learning about possible risk will invariably reduce that risk when it finds it . The best source of information on non-compliance and on risky business practices , is simply asking employees and supporting their awareness , not punishing it .
You want your colleagues to push the envelope when it comes to getting important work done . We all know shortcuts will sometimes happen . We just need to make it OK for them to tell us .
34 INTELLIGENTCIO www . intelligentcio . com