It seems these days that at every turn, we’re reminded that cybersecurity needs to be front of mind. Whether it’s in our private or our working lives, not to mention the increasingly large grey area in between, security is everywhere.
At least, it should be…
There’s very little these days that doesn’t involve an exchange of information, and that information is valuable and worth protecting. We need to be making sure that the right information is used by the right people, at the right time. Otherwise – touch wood – it can cause significant disruption and potentially great harm. This goes for everything from our banking details and credentials to our social media and content streaming passwords. Even our very phone numbers.
Now, we’re not going to dwell on personal security too much in this series of articles, but arguably, the change to more flexible working locations and models for many people has brought us to a point where the lines between work and “not work” is very hard to distinguish. And as we move seamlessly between work activities and personal ones, we’re less likely to switch our behaviour from one mode to another. In this blended mode, it’s more likely that we slip, and make a mistake that can have unforeseen consequences. Most of these consequences will usually lie with the business in the form of financial impact and brand confidence, meaning that the burden of preventing the breach in the first place through supporting its people lies with the organisation.
Many security commentators say (and I agree) that good security comes about by addressing a combination of three fundamentals:
- People
- Process
- Technology
When looking at where to start and how to design the right security program, the most important consideration is the overall business need. A consultative approach is required, as working in isolation from the business will likely lead to an ill-fitting solution.
Ultimately, it’s the business strategy and objectives which define its Process, and in turn, give rise to the requirements of People and Technology. At this point, as we review how those People and Technology interact – we start to see information and data being generated. Risks emerge as to where the information is stored, how it’s accessed, used, and transmitted from system to system, and place to place. These risks are collated and ranked, with decisions made as to how each should be addressed. This risk matrix will likely form the basis for developing an information security and cybersecurity program.
Let’s look at each of these elements:
- People are arguably our most important asset; however, they can also have the biggest bearing on an organisation’s security.
With People being what we are (unpredictable, undisciplined, and sometimes unsure of what is the right thing to do), it’s critical to focus on better equipping them when it comes to security. Improve the way People interact with each other, their customers, and their systems – providing instruction, training, and tools that allow us to make the right decisions when faced with potential risks. This is more than just security awareness training though – it extends to how we manage the authentication and identification of people, systems, and applications.
We’ll talk further about Brennan’s approach to People and Identity in my next blog.