Human Element in IT Security

28 02 2012

IT security has become critical component for the success of the business. Companies have successfully deployed multitude of technologies, policies, procedures, and other technical solutions to address their IT security challenges. However many companies have often underplayed role of humans in IT security. Rationales for such behavior include internal politics and surprising amount of chaos[1].

Companies must recognize that humans play a pivotal role (see Table 2) in ensuring success of IT security mechanisms. Following initiatives will enable companies to harness human capital to ensure success of IT security mechanisms:

  • Awareness:
    • Management must demonstrate commitment and support for the IT security.
    • Educate the need to be compliant with industry standards (see Table 1) and internal policies.
    • Repeat – Repeat – Repeat: Implement mandatory training program under supervision of C-suite executives.
    • Setup constant communication emphasizing the importance of the IT security.
  • Execution:
    • Based on security risk analysis, focus on the highest threat first and deliver role based training. Avoid one-size-fit all when training employees across organization[2].
    • Setup central service center to address security concerns and clarify policy and procedures.
    • Develop mechanisms to monitor and review effectiveness of the security mechanism in place.

In addition to the above tactics, company must encourage a collaborative environment to develop a culture of teamwork to ensure data confidentiality, integrity and availability (CIA).

In summary, rapid pace of changing technologies, coupled with human’s inherent resistant to change and close monitoring are key roadblocks for a successful security strategy. As discussed above, awareness, tailored education and cultural changes can be important enablers to ensure successful implementation of IT security mechanisms.

Table 1: Information Security Regulation[3]

Table 2: Root Cause of Information System Failure[4]


[1] The Importance of Defining and Documenting Information Security Roles and Responsibilities By Charles Cresson Wood, http://www.informationshield.com/papers/SecurityRolesAndResponsibilities.pdf

[2] The People Dimension of Security and Privacy – Eight training and awareness habits of highly effective organizations; Deloitte http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_consulting_PeopleDim_Security%20Privacy062309.pdf

[3] The Importance of Defining and Documenting Information Security Roles and Responsibilities By Charles Cresson Wood, http://www.informationshield.com/papers/SecurityRolesAndResponsibilities.pdf

[4] The People Dimension of Security and Privacy – Eight training and awareness habits of highly effective organizations; Deloitte http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_consulting_PeopleDim_Security%20Privacy062309.pdf

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: