Watchmaker's Secret

The mechanical mechanism of a watch is a complex system of gears, springs, and other components that determine its correctness and accurate timekeeping.

The purpose of displaying the correct time will be achieved only if all components are in mutual balance and proper condition.

The watch's effective operation requires regular service and maintenance.

Screws holding individual components may loosen, disrupting the necessary balance and proper functioning.

Winding the mechanical watch tightens the mainspring, which keeps it going.

Continuing to wind the watch after the mainspring has been fully wound may cause undue pressure on other components within the watch mechanism, resulting in the mainspring breaking and inflicting irreparable damage to the watch.

Overtightening the mainspring stresses the gears and balance wheel, resulting in rapid wear and compromising the timepiece's accuracy.

When winding the watch, stop when you sense resistance!

A damaged balance wheel can change the amplitude of oscillations, resulting in erroneous time measurement.

Each component affects the others, and only if each functions correctly individually, the watch will be accurate and show the correct time.

When we want to express that some complex system or the execution of a complex process is working excellently, a common expression is used: 'It functions like clockwork', or 'It works like a Swiss watch!'.

All of these are prerequisites for the proper functioning of a watch mechanism, as well as all other complex systems whose parts are interdependent.

One such system is undoubtedly the information security system, within which numerous processes and operating mechanisms are involved, ranging from technical, organizational, and personnel-related, to normative aspects.

In such a system, each component is equally vital and interconnected with others, whether smaller or larger, as well as the overall system in which it exists.

Only in this way is the system to be able to establish the necessary balance and efficient operation.

Just as a watchmaker must understand every component of a clockwork to repair or maintain it, a Chief Information Security Officer must have a thorough understanding of all of the aforementioned information security mechanisms to develop an effective defence strategy.

This necessitates the utilization of multidisciplinary expertise, which is not always easy to find in one person.

Perhaps this explains why CISOs are so highly prized.

In the job market, but not always within the organisation where they work.

Management, including the CEO, CIO, and anyone in a senior role, must take information security training to fully understand the necessity of information security and what the CISO is saying.

If they refuse to educate themselves, they will be forced to learn the hard way, whether by ransomware, hostile insiders, or other ways.

Keep this in mind.

They claim that there are fewer and fewer skilled watchmakers!

If you are concerned about information security, listen to what the CISO says.

Organizations must recognize the importance of the CISO and security team, allocate adequate resources, and foster a collaborative culture that prioritizes information security.

Observation:

I do not arbitrarily compare the CISO to a watchmaker, nor the operation of a complex information security system to a clockwork.

It is also no coincidence that in teleological literature, the mechanical perfection of the universe's functioning is compared to a clock.

Instead of a conclusion:

Applied security measures and consistent implementation of procedures by all stakeholders in the information security system should not hinder or inhibit the business processes of any organization. On the contrary, a well-designed and balanced information security system should support and guarantee a continuous and uninterrupted flow of business processes without creating resistance or misunderstanding among employees.

Just like a watch, which requires occasional cleaning and servicing by an experienced watchmaker, activities related to establishing and maintaining the achieved level of information security must be subject to monitoring, occasional reviews, and constant improvements.

Just as there are small and large watches, with basic or more functions, each organization has its unique story. Only by acknowledging its specificities can balanced security solutions be devised.

Copy/paste has never been a viable solution!

Unfortunately, due to a lack of understanding of the importance of information security, employees will often continue to perceive adopted procedures as unnecessary and imposed.

Moreover, they will feel controlled and supervised by the organization.

The lack of punishments for the violation of prescribed obligations will only encourage their irresponsible behaviour and send a negative message that information security is not as crucial.

Implemented IT solutions can reduce the manoeuvring space for inadvertent errors, human stupidity and employee sabotage, but they cannot completely eliminate the danger of negative outcomes from such behaviours.

Because the risks posed by the human factor cannot be easily or permanently avoided, organizations should provide ongoing education to employees so that they understand the importance of adopted procedures and the consequences of an information security breach on them and the organization.

In these educational sessions, it is important to highlight for employees the potential personal losses resulting from the violation of adopted procedures, including personal financial setbacks or the loss of previously gained benefits.

Of course, they must be notified of the risk of negative consequences for the entire firm (launching ransomware, for example) as a result of their reckless or unlawful behaviour.

Organizations play a critical role in boosting employee knowledge about the necessity of information security.

If top management has not brought its human resources closer to the organization's shared values in terms of goals, vision, and mission, employees may suffer negative consequences such as a lack of commitment to tasks, an underdeveloped sense of belonging to the collective, and a failure to see the cause-and-effect relationship between their (harmful) actions and the overall security of the organization to which they belong.

The absence of this critical integrated component will devalue all earlier efforts.

In any case, the human factor will prove to be decisive in this story as well.

The issue is that malicious hackers are well aware of it too.