|Source: VISTA infosec|
Let me start with a message (yet again): "If you want an agile environment, you need Security Awareness". What did I just say? I recently said in another blogpost of mine that if you need Security Awareness to be secure, then you are doomed in the first place. I still think that is true, but it is only a part of the case I want to make. In this post you will read the rest of my point of view on this topic.
On June the 14th of 2016 I will talk about this specific topic on the “Cyber Security v Agile eCommerce”, hosted by ION-IP, WhiteHat Security & The Embassy of the United States of America in Amsterdam. In this post I will dig a bit deeper on this topic, why I have this opinion and why I want to share it with you and the rest of the world (the world, because if I may believe Google Analytics, my readers are from everywhere, thank you all!).
Security awareness by itself is by no means the holy grail to a secure environment to work, play, and live in. Though many companies and security professionals alike often focus heavily on security awareness, and to be more precise, security awareness focused at user level. I believe that when you cannot make security ubiquitous by nature, you will fail for sure at creating awareness at that level.
A couple of months ago I was looking for a replacement car (my former broke down) and as I really do not know anything about cars, other than how to drive one at least, I noticed a certain behavior of mine. And that behavior is commonly known as “a typical user who does not know anything technical about the topic at hand and therefore lacks any sensible judgement about its mechanics”. And it gave me a valuable insight concerning security awareness at user level.
This insight was the very fact that I literally did not ask one question about the security of the car. I did not ask anything about the airbags, brakes, seat-belts, electronic brake-force distribution, lane detection, and the security features accompanied with cruise control. I asked myself why as me being a security officer, and the only answer that pops up is this: “If I do not know anything technical about a car, I for sure cannot influence its security, I can only use it as it is build”. I think that the security of the car should ubiquitous. And this changed my perspective on creating security awareness at user level.
The point that I am making in this talk is that your focus or drive should be to eliminate security awareness at user level. This focus helps you to become more creative by building solutions so non-technical users are working secure by design, instead of working insecure and hopefully with some awareness stuff will not hit the fan. But this needs security awareness at another level in the organization.
My statement in the talk is this: “Move security awareness to the level where change is done…”. If the people with the power to change are aware of security, chances are more likely that a securely designed system is being created. So instead of focusing all that energy, time, and money on security awareness for everyone in the organization, try focusing it all on your IT staff. I firmly believe that when you do that, nice things start happening. Part of this firm believe is the experiences I had with this principle in the company where I am fortunate enough to work at.
Security and privacy are not the same thing, so I also advocate to start working on privacy awareness. And, in contrast to security awareness, that topic should be addressed to everyone in the organization. It is by far more effective than security awareness, because the topics are more relevant by nature, and people can really influence them by their behavior. It is easier to teach a user to not share a social security numbers or medical details by phone and e-mail, than learn such user to recognize specially targeted and crafted phishing mail and to not click on the link.
Let me end my post with an advice and a question.
When you focus security awareness on the place where change is done, you get more (and this will grow over time) systems designed securely. Awareness should also focus on automation. Because I firmly believe automation is imperative for an increased security. And the more you automate, the more agile you will become. And the more agile you are, the more anti-fragile you can become. And anti-fragility helps making your business become weatherproof for (sudden) changes in its environment.
So, Security awareness at IT-level leads to secure design, which leads to automation, which leads to increased agility which can lead to anti-fragility. Cyber Security can go hand in hand with Agile Development. And let me turn that around, a strong Agile Development culture can greatly increase your security!
What can you design and automate in order to make security awareness obsolete, while increasing the agility of your business?