It’s widely accepted that attention to the needs of people, process and technology is the foundation of effective information governance. Good process design and smart technology will not by themselves deliver the goods. People are the real key to successful exploitation of information and technology. People create, use and interpret data. They manage information systems and administer access rights, and they control an array of increasingly powerful desktop devices. People also make mistakes and create incidents. But at the same time, they can also identify risks, prevent incidents and respond to crises.
In everyday use of IT, it’s often the people side that receives the least attention. As much as we’d like to see it, information systems are rarely built to satisfy the needs, wants and preferences of the users. The result is that few information systems are intuitive enough to be used correctly without a degree of user training. Many security risks are also invisible or counter-intuitive. It’s not logical to imagine that a small, local oversight can bring down an enterprise-wide service.
Most of our business systems are reasonably well protected against physical hazards, typically running on dedicated equipment housed in secure buildings. But it only takes a single connection to an infected website, or the loss of a single memory stick, to compromise an entire database, and the damage from a major breach is often much more than just the financial cost of the incident response and investigation. It can seriously damage future revenue. Successful brands take years to establish, but their value can be quickly lost in a wave of citizen and media outrage. Constant vigilance is the price of today’s freedom from breaches.
But nobody is perfect and it’s often the best employees that make the biggest mistakes because they work harder, quicker and longer, and are less likely to be supervised. We cannot eliminate all accidents and errors, but we can do quite a bit to minimise the likelihood of a damaging breach. In practice, there’s no such thing as an isolated incident. In the safety field, it’s well known that behind every major incident there are dozens of minor incidents, hundreds of near misses and thousands of bad practices. If we can minimise those bad habits and near misses, and identify and fix the root causes of incidents, then we are much less likely to suffer a major security breach. An ounce of prevention is better than a pound of cure.
As a former security director I’ve often been asked: ‘How big is your security function?’ The true answer is: ‘As big as the organisation’. In some cases I could even include the contributions of online customers. This is because information security is everyone’s responsibility: from the executive board room to the reception desk. All managers and staff require regular briefings about new technologies and emerging security risks. In an increasingly networked world, where we have powerful capabilities to access data and systems across shared public networks, our collective know-how is the thin blue line that safeguards our information assets from computer intrusions and data breaches.
I’m delighted to have been asked to contribute this foreword to a practical, pocket guide. We need more educational guidance in the hands of managers, rather than in academic textbooks. I’m also a passionate believer in the power of education and awareness programmes to prevent incidents. A few years ago, when I was Director of Information Security and Risk for Royal Mail Group, I sponsored a full-time security awareness programme and I monitored its impact on security incidents. The results were staggering. I found that a single, targeted intervention could achieve a huge reduction in incident levels, by more than half in some cases. The impact of a campaign quickly fades, however. Awareness must be maintained and embedded into organisational culture to have a lasting effect.
We all need a minimum amount of awareness and training to gain the knowledge and skills needed to use systems and technology efficiently, safely and securely. Bad habits are easy to pick up and surprisingly hard to discard. And common sense is not as common as we’d like to think it might be. Training enables us to benefit from the findings and best practices of a much broader community, rather than to rely just on our own limited experience. Induction and training programmes are an essential investment for all organisations. Not only do they increase efficiency, they also help safeguard our valuable intellectual assets: the crown jewels that reside, not in bank accounts and bricks and mortar, but in our information, relationships and reputation.
David Lacey, November 2009