I’ve been asked why, despite being a technologist by background, I don’t write about tech, or cover the most recently exposed exploits. Most security professionals spend most of their time selling, implementing, maintaining and monitoring technology. Most customers looking to improve their security think of it in terms of buying product – upgrading firewalls, buying better endpoint software, adding an IDS or an IPS. Most consumers see security threats in terms of penetrating technology perimeters – usually by typing very fast.
There’s nothing wrong with this, per se. There are lots of external threats; there are real criminals trying to compromise you – whether targeted specifically at you or just ‘spray and pray’; there is a lot of technology that helps to mitigate these attacks. One of my roles is to run a company which sells this technology, and offers secure cloud services. So why don’t I blog about it?
Because everyone else does. The world doesn’t lack for highly-capable, global-scale businesses which make, sell and talk about security technology. Nor is there a shortage of good independent blogs on the subject. It’s pretty difficult to add any value on the topic, especially because the chasm between platitudes and appropriate, specific advice is so large.
On the other hand, not enough people write about people and processes. This is despite the security industry acknowledging that the order of priority should be People, Process, Technology. There are several reasons why:
The security industry is just that, an industry. It exists to sell you stuff. Technology is easier to package and sell than knowledge or training. We all remember the proverb: “Give a man a fish, you feed him for a day; teach a man to fish, you feed him for a lifetime.” Salespeople would, of course, rather you bought a daily fish.
Technology is intrinsically complicated. From a salesman’s perspective this is a good thing. Arthur C. Clarke famously said that any sufficient advanced technology is indistinguishable from magic. Magicians know stuff that you don’t, and they speak a language you don’t. That raises their value; it also encourages you to learn the language so you can raise yours in turn.
Information security is usually labelled otherwise – as ‘IT security’ or ‘cyber-security’. This leads us to think of it as part of the IT function. The purpose of the IT function is to procure and manage technology, so there’s a ready-made audience for the industry to blog to.
On the other hand, security awareness training and implementing secure behaviour is absolutely about teaching people to fish. It’s often not that complicated – the skill is as much in getting people to listen in the first place as knowing what to teach them. It’s not restricted to, or even really part of, the IT function – it’s part of core management responsibilities.
I’m interested in information assurance – the overarching requirement to keep all of an organisation’s information – whether stored digitally, on paper, or in peoples’ heads – confidential, available and accurate. Technology has a role to play in achieving this outcome, but it’s a subsidiary one – the primary responsibility lies with people, and the primary tools are processes and procedures; ways of thinking and acting.