Distributing Security
James Bore
"...sartorially he’s what you’d get if The Doctor decided to park the Tardis and spend some time in cyber security." - Andrew Peck
You'd think by now we'd all know that security siloes are a bad thing, counterproductive to what we want to achieve. Sadly it doesn't seem to be the case.
Every patronising comment about people being the weakest link, each time supposed professionals blame the user, and most of all the culture of blame and shame that exists for victims of deception shows how far we still have to go.
Knowledge Traps
I recently wrote about psychological traps that we fall into, mentioning the narrative trap. There's another one that many of us in security easily fall into without realising (many outside of security do too, it's a common trap).
Knowledge traps are almost the opposite of beliefs in exceptionalism. Instead of falling into thinking that we are unique and special, it's the assumption that everyone else is coming from the same base of knowledge and experience as we are.
Everyone must have the same awareness of the dangers, the same understanding of threats, the same professional paranoia we expect to develop. It's a dangerous trap to fall into because it leads rapidly to victim blaming, and to us failing in our responsibilities to others.
We are there to give others the means to protect themselves at least as much, if not more, than to protect them. Any other approach isn't sustainable.
领英推荐
You Are The Weakest Link, Goodbye
There's a problem narrative that still clings on that people are the weakest link in security. I'm not a fan of that idea.
Victim blaming is one of the worst symptoms of poorly distributed security. If people are given insecure tools, not given the training, and their priorities don't incorporate security then the fault doesn't lie with the users.
That's not to say when secure tools, appropriate training, and personal ownership of security are provided that the individual shouldn't be accountable - only to say that I have rarely, if ever, seen that to be the case.
On the tools front there's an argument that the blame might belong on the development side - but even then if development isn't given access to the right security resources to build properly in the first place, are they really at fault? Here I do think education plays a part - security needs to be embedded as a foundational principle in learning development, and that begins at the beginning.
The Point
All of this boils down to security needing to be embedded across organisations. The ideal is not a highly capable, dedicated security function but a skilled and knowledgeable security resource which is not only available to the wider organisation, but actively seeking out opportunities to assist, support, and educate.
I've found, repeatedly, that given the understanding most people are motivated to take ownership of their own security. The biggest issues come when they're trained to believe that it's someone else's problem, which happens when security is siloed away in its own ivory tower.
Advisor - ISO/IEC 27001 and 27701 Lead Implementer - Named security expert to follow on LinkedIn in 2024 - MCNA - MITRE ATT&CK - LinkedIn Top Voice 2020 in Technology - All my content is sponsored
1 年very well put !