A human fix

David Lacey discusses the relationship between technology and the human risk, and whether technology professionals have a hard time managing that risk.

“Behind every major incident, there are, on average, 29 minor incidents, 300 near misses and thousands of bad practices”
-David Lacey

The starting point is to realise that the people who work in security and technology don’t have any training background on the essential sciences that are related to how we communicate in messages. I believe that communications need to be developed by communications professionals, not technology professional, and as I point out in the book, it’s much cheaper to hire a journalist than a security consultant. The question is, why are we using security managers and consultants to develop educational awareness material? What we need is a lot more emphasis on getting professionals in to support security people.

But it’s not just the psychology of communications that we need to understand, it’s also taking on better practices that prove to have longevity, like those within the safety field. And we, as secutrity professionals, could learn so much.

There’s almost a whole culture of reeducation that’s involved in that area.

Positively human
The financial services sector often places much emphasis on the technology side of the business, but ultimately, all technology is only ever as good as the people behind it. FST speaks exclusively with David Lacey about the importance of managing the human factor of information security.

In David Lacey’s new book (see our review on page 138), he investigates the growth in social networking and the vital need for all enterprises to ensure that computer users adhere to corporate policies. “Technology security is a big issue,” he explains, “and certainly we don’t place enough effort on it and in fact, over time, the balance between whether you need more effort on technology, people, or processes does tend to shift a lot.”

As Lacey details, there have been times in the past where the financial services sector have needed a ‘technology fix’, but at the moment he believes that the real problem lies on the people side. “You can’t get a perfect solution with people,” he notes, “you need technology as well. People make mistakes – they’re only human. And there will always be incidents arising from that.”

People can be easily fooled, for example, and Lacey stresses that there needs to be a lot of emphasis on people simply because people are behind everything: “People design systems: they supervise them and they operate them. They also attack the systems, and it’s actually people who then identify the risks, spot the incidents and then turn them around.” Another important factor for Lacey is the issue of major incidences that can also be an opportunity for organisations. “There is a lot of publicity that comes with a major crisis,” he explains, “There is a lot of opportunity to transform the organisation – and it is possible that you can come out on top.

In fact, research by Oxford Analytics actually demonstrates that the shareholder value for companies that manage a crisis well can actually go up quite significantly, by as much as 10 or 20 percent; although initially, it always fails. It can also go down by 10 or 20 percent if the incident is managed badly.

“The key thing with people is that we’ve been going about the whole process the wrong way. We haven’t learned from areas like safety, for example, where there is a distinct no-blame culture. You do a root cause analysis of every major incident to find out all the different things that contributed to that, and you fix them. And the safety field also realises that behind every major incident, there are, on average, 29 minor incidents, 300 near misses and thousands of bad practices.”

This is something that currently isn’t being done in the security field. Here, professionals wait for a great big incident and then carry out a knee-jerk reaction where a lot of money is spent to try and stabilise the crisis. “If you’re instilling the kind of blame-culture where everybody knows if they do something wrong, they’re going to be immediately disciplined and punished severely, then that’s the wrong kind of culture to promote. Behind every incident, there are many causes. It’s never just down to a single person and that becomes a big distraction in tackling the root causes of such crises.”

Lacey identifies that incidents are often the fault of varying layers of responsibility, and he says that organisations need to understand that people are going to make mistakes. He even notes that it is often the best staff who will make these mistakes because they are working harder, are working longer hours and are under more pressure – particularly during this recessionary climate where layoffs and cutbacks result in harder work schedules for those left behind.

“If staff are working too hard,” Lacey explains, “they are more liable to make mistakes. If they’re not supervised properly then that’s another factor, and if they’re not trained properly or aware of the risks then that poses another problem too.” He also adds that badly designed systems, that are neither user friendly or ergonomic enough, also play a role as a root cause of an incident happening.

Bolster your defence
Insider threat is another major issue, and people processes are becoming more and more important because of networking and its use in the workplace. “Networks connect people, and with the growth in social networking, you’ve now got a collective power of people to do things which they never could do before and to make mistakes on huge scales which they could never do before either,” details Lacey. “All of the centralisation of power and the powerful access an individual can have encourages insider threats and encourages external attempts to manipulate people inside. Because of this, there are some really severe things going on.

“The problem with the insider threat is that it’s very hard to actually differentiate a potential crook from a high-flying, effective manager. They both show the same characteristics of being determined, competitive, ruthless, aggressive and focused, and therefore it’s often the case that fraudsters do well within an organisation.

“Having said that, there are things you can do to bolster your defences,” Lacey continues, “and these include more rigorous background checking when recruiting people.” He also notices that organisations don’t do enough in terms of disciplining and encouraging people not to commit crimes, because everyone who commits a fraud or tends to justify it to themselves. “Fraudsters have to rationalise why they did it, and they believe that they did the right thing. Evidence shows that even serial murderers think they did the right thing for society. That’s how they live with their actions.”

Lacey believes that if organisations allow people to get away with the small things – like someone browsing inappropriate material and nobody doing anything about it – it creates a climate that is encouraging people to take that step further and commit a fraud. “People will only do something wrong if they can justify it to themselves in some way and if they believe they’re going to get away with it. What we tend to find is, ‘acceptable use policies’ are absolutely worthless within an organisation and, oftentimes, people just don’t know about them, they’re badly written and are incomprehensible. What’s more, they’re not communicated properly through training, nor are they enforced consistently. So every now and then, when somebody does enforce one of these policies, it’s always a shock to the organisation, and it shouldn’t be that way; people should know what the rules are, they should know exactly how far they can go, and they should know that they will be enforced consistently.”

David Lacey is a leading authority on Information Security management with more than 25 years professional experience, gained in senior leadership roles at Royal Dutch/Shell Group, Royal Mail Group and the British Foreign & Commonwealth Office. Lacey is now a freelance director, researcher, writer and a consultant to organisations, venture capitalists and technology companies.