A security mindset involves thinking like an attacker, an adversary or a criminal in order to detect and respond to potential threats putting at risk our valuable assets. This thread discusses the (in)ability of our security mindset to cope with the digital threats and the responsibilities of organizations in this matter. |
The Basic
We all come to life with a seed of security mindset inherited from our forebears in the form of our amygdala. The amygdala, a tiny shaped structure deep inside the emotional part of your brain, controls the way we react to certain stimuli or events that we see as potentially threatening or dangerous. Being utterly risk adverse the amygdala preaches the flee without hesitation or thinking.
Over time, through absorption of elements of our own education, environment and experiences the seed mutates into a risk based security mindset. Acting as our guardian angel, it dictates our decisions and behaviors in a way to minimize either the probability or the impact of any risk to which we and our valuable assets could be confronted to along our journey on this earth. While the risk tolerance differs from individuals, we all benefit consciously or not of our security mindset in our day to day life. At least in what concerns the risks pertaining to our "human" assets such as us, our family, close relatives and physical assets such as our home, car, phone, wallet, bags, etc.
What about our valuable digital assets?
We can’t assert the same for our valuable logical data for which our security mindset is utterly inefficient. Why? For the reason that the concept of «logical data» has been brought with the advent of the digital age. A period still in its infancy compared to the whole human history. A blur, impalpable and invisible asset that none of us can’t really fathom, define, grip and master with the aggravating factor that it could be endlessly multiplied, copied and stored anywhere. |
Beholding people conspicuously and freely scattering and sharing their data, reusing the same passwords across multiple sites, clicking on any files and links in their mailbox, downloading applications and games or streaming movies, sending their credit card data without any consideration to the sites legitimacy, not bothering to take backups of their data, implementing home automation systems and smart TV's without caring to change the default passwords, one could perceive that..there is something rotten in this digital kingdom.
People either have no clue of the value of their data or are unconscious of the hovering risks. They are acting like kindergarten kids playing unmindfully of the risks they will be confronted to later in their lives. They are unaware of the dangers or wholly ignoring them. There is a conspicuous absence or lack of education and awareness in this matter.
Who should teach them to discern, respond to or ward off the digital threats? Certainly not their parents who are even more ignorant in this matter. Our education system maybe? I doubt given the severe latency of this system to adapt itself to the steadily and rapid evolution of the technology and associated threats.
When I was taking my civil engineering classes back in the late 80’s and early 90’s I have never seen or heard aught of information and data security. Ok, it was the onset of the Internet and personal interconnected computers where security consultants where considered as trailblazers but nowadays, while information technologies insinuates itself always deeper into our lives and that attacks against our data get more and more pernicious, security must be addressed as a topic of general interest. Still it is absent of the lectures, except in specific dedicated cursus.
In the absence of education of appropriate behaviors and awareness of the value of our digital assets, I’m afraid that the only ingredient left to nurture, hone and drill our security mindset in this matter is the experience. I mean learning the hard way through bad experiences such as being victims of data theft, data lost, account impersonation, social engineering or swindlers.
Who should teach them to discern, respond to or ward off the digital threats? Certainly not their parents who are even more ignorant in this matter. Our education system maybe? I doubt given the severe latency of this system to adapt itself to the steadily and rapid evolution of the technology and associated threats.
When I was taking my civil engineering classes back in the late 80’s and early 90’s I have never seen or heard aught of information and data security. Ok, it was the onset of the Internet and personal interconnected computers where security consultants where considered as trailblazers but nowadays, while information technologies insinuates itself always deeper into our lives and that attacks against our data get more and more pernicious, security must be addressed as a topic of general interest. Still it is absent of the lectures, except in specific dedicated cursus.
In the absence of education of appropriate behaviors and awareness of the value of our digital assets, I’m afraid that the only ingredient left to nurture, hone and drill our security mindset in this matter is the experience. I mean learning the hard way through bad experiences such as being victims of data theft, data lost, account impersonation, social engineering or swindlers.
The social responsibilities of our organization
With such an unfit security mindset how organizations could expect their staff to handle appropriately their sensitive business and customer data? As Bruce Schneier stated « A security mindset is not natural for engineers, developers, administrators, sales, implementers or any other roles participating in the organization life". They all just want to do their job the best as they can with the less hurdles possible and in this context, security is too often looked at as a roadblock. This lack of awareness and carefulness makes of them the weakest and sorest point of organizations information security management system.
More than complying with security and privacy related regulations such as GDPR, HIPAA, PCI, my opinion is that organizations and more specifically security officers and data privacy officers have a social responsibility here. They should not content themselves to barely require staff to abide with a set of policies and procedures disseminated in writing or through information sessions (often falsely named awareness session) dictating what they may and may not do and how they are expected to do it. This is definitely not enough.
More than complying with security and privacy related regulations such as GDPR, HIPAA, PCI, my opinion is that organizations and more specifically security officers and data privacy officers have a social responsibility here. They should not content themselves to barely require staff to abide with a set of policies and procedures disseminated in writing or through information sessions (often falsely named awareness session) dictating what they may and may not do and how they are expected to do it. This is definitely not enough.
Security or privacy officers should establish a real blame-free security culture wherein people contributes willingly not because they are fearing disciplinary sanctions but because they feel personally involved and concerned by the protection of the business data.
This can be achieved through the delivery of vivid, and let me underscore it: VIVID awareness sessions focused on their case. Through the use of dialogues - and not one way talks or presentation, vulgarisation, anecdotes and stories, funny materials (pictures, movies) they should be apprised of the rationales behind such sessions and why they are bothered with these tedious, cumbersome policies and procedures - they are all thinking that way so let's be honest and show them our agreement on this point.
They should learn about the reasons why security is a critical matter for the company, about the consequences in case incidents and breaches for the company and the customers. They should hear about past incidents that took place inside the company - this could serve as illustration and evidences that yes shit happens, about the threats/attacks they could be confronted to while working but also in their private life and how these could be avoided or thwarted. Last but not least they should be told of their primary role in the defence of the company and customers data. They should be encouraged to speak up whenever they feel that a policy or procedure is inappropriate in their case and to report any weird situations they have faced.
All this should help increasing the ability of their staff security mindset to address the digital risks and eventually to transform them into one of their strongest and efficient defense line.
This can be achieved through the delivery of vivid, and let me underscore it: VIVID awareness sessions focused on their case. Through the use of dialogues - and not one way talks or presentation, vulgarisation, anecdotes and stories, funny materials (pictures, movies) they should be apprised of the rationales behind such sessions and why they are bothered with these tedious, cumbersome policies and procedures - they are all thinking that way so let's be honest and show them our agreement on this point.
They should learn about the reasons why security is a critical matter for the company, about the consequences in case incidents and breaches for the company and the customers. They should hear about past incidents that took place inside the company - this could serve as illustration and evidences that yes shit happens, about the threats/attacks they could be confronted to while working but also in their private life and how these could be avoided or thwarted. Last but not least they should be told of their primary role in the defence of the company and customers data. They should be encouraged to speak up whenever they feel that a policy or procedure is inappropriate in their case and to report any weird situations they have faced.
All this should help increasing the ability of their staff security mindset to address the digital risks and eventually to transform them into one of their strongest and efficient defense line.