The modern economy is increasingly built on a cadre of knowledge workers who consume and process enormous amounts of information.
But these information-intense models are not without their risks, as we are continually reminded.
One of the big stories of 2011 was the rise of APTs -- advanced persistent threats -- that are causing us to re-think many long-held precepts around information security. There are new security philosophies emerging; new process and tools -- and new focus areas to consider
As Art Coviello put it so eloquently in his RSA keynote -- "people are the new perimeter". But how do we arm our knowledge workers to handle information -- in all its forms -- safely?
Rather than scratch our heads and wonder how best to close this seemingly brand-new proficiency gap, I think it's useful to review how earlier "trade" industries -- manufacturing, construction, shipbuilding, etc. -- identified this particular problem, and created the foundational methodologies to manage worker safety in an earlier age.
We often forget than seemingly new problems have sometimes been solved before, just in a different context.
And this might be just such an example.
Going Back
If you've ever visited a shipyard, or other large-scale construction or manufacturing site, you'll quickly realize that they can be very dangerous places -- not only for you, but for the people who work there.
We're usually talking about massive girders and beams, welding, heavy equipment to move it all around, big vertical drops and more. Or consider what it might be like to work in a factory that makes radioisotopes, for example.
There's always the imminent potential to have a really bad day.
Make any small mistake -- whether due to carelessness or inexperience -- and you could not only take out yourself, you could take out several of your co-workers as well. Not to mention cause a lot of physical damage.
Over time, these industries learned to take worker (and workplace) safety very seriously indeed.
The motivation was blindingly simple: accidents could be incredibly expensive. There's economic losses of productivity, various regulatory penalties, costs associate with workers' compensation -- even small accidents can be very costly indeed.
Just like an information breach :)
Their answer has evolved into what I could only describe as a "systems" approach.
One part is careful consideration of tools, equipment and work processes.
Another significant investment is around training, certification and monitoring of workers.
And, finally, a statistical control process (think six sigma!) where even the smallest incident is scrutinized to gain insight on further process improvements.
As part of my routine interactions with IT organizations, I'll occasionally probe as to whether they've invested in each of these "systems" elements regarding information security: worker environment, training and education, and statistical process control.
Occasionally, I'm surprised by the depth of their response. More often, they're investing in "behind the scenes" improvements (the infrastructure behind the worker environment), and not doing much in the other two areas.
Is it time for that thinking to change?
Back To Our Construction Site
I have an acquaintance who's involved in heavy construction. I was fortunate enough to pick his brain for a while on how they handle safety on job sites.
He is adamant that no one -- and he means no one -- picks up a tool at the work site unless they've been trained and certified. No amateurs allowed. The new people are shadowed for a while by a more experienced worker until confidence is established.
Thanks to the workers' union, all workers are continually trained -- not only about developments in their profession, but new safety techniques as well as reinforcement of existing ones. On the job site, there are clear and visible reminders everywhere around safety. He also said that onsite management had part of their compensation either directly or indirectly tied to safety as well, meaning there were usually multiple senior eyes keeping a watch on what people were doing.
When there was an incident of any sort, there were all sorts of forms to fill out, and many people who wanted to ask questions. Yes, a powerful incentive to avoid accidents, but also the raw material for continual process improvement.
He said tools and work processes were continually being improved -- he could see the changes over the years. Training and certification has also become more onerous and rigorous. And financial incentives to maintain a safe working environment were increasingly becoming a part of his compensation.
Does any of this remind you of how IT security might work? Maybe it should ...
What's Missing?
If we accept that this sort of conceptual model might serve as a blueprint for thinking about information security differently, what might be missing?
First, we're going to have to seriously revisit the topic of worker education, and -- ultimately -- certification. In many settings, a segmented approach would be indicated based on your role in the organization, and the degree of "information risks" you are routinely exposed to.
My informal survey of existing efforts in most organizational setting tells me there's a *lot* of work to do here.
Second, we're going to have to get much better at keeping and using records. Any incident -- no matter how small or apparently insignificant -- can be used as input for ongoing statistical process control. Again, my informal impression is that this information is often gathered, but rarely used in this fashion.
Third, we're going to want to create "information safety" incentives across the organization -- both at an individual contributor and a management level. Whether these are rewards, punishments or some combination I'll leave as an exercise for the reader.
But one thing is clear -- it's hard to get a meaningful change in daily behavior unless you provide consistent incentives to change.
More critically, we're going to have to organize for success. If you went to your present organization and asked "who's responsible for this?", you're unlikely to find the resources and alignment you'd need to be effective. Again, you can find these organizational constructs in the physical world; less often in the digital world.
And, finally, we're going to need a bit of that very rare and precious skill set -- leadership. Ultimately, the critical ingredient is often having people in a position of authority who can recognize the new challenge, and cause organizational focus to be placed on coming up with better solutions.
Why Isn't This All About Technology?
It'd be great if we could come up with wonderful technology that eliminates all the risks associated with people doing really dumb things, but I'm not holding my breath ...
RSA, as part of EMC, makes some amazing technologies that can help organizations tackle this problem effectively. They're also providing some useful coaching around what next-generation security functions look like: how they're organized, managed, staffed and so on.
That being said, security functions can often end up isolated from an overall organizational perspective. I now believe that "worker safety in the information age" is an organizational challenge; it most likely will require an organizational response.
To be successful, I think these security teams are going to need the exec-level "air cover" to align the broader organization -- and their behaviors -- with the ultimate goal: to unlock the potential of information and do so with confidence.
By: Chuck Hollis
