As a security executive, we expect certain “proper” behaviors from our constituency. How do we set these expectations? We usually start with policies and standards. What percentage of your constituency really knows your policies and how well do they apply them?
Every control that you implement must have a human factor. People install controls. People validate controls. People monitor controls. People respond to anomalies in monitoring. People can be predictable, but not always reliable. The most valuable control that you can install is the combination of practices and procedures within your culture that demonstrate the “human factor” controls on a daily basis. This means that everyone should know what their job is and what controls exist around it.
One of those jobs is management. Local management is your primary controls manager.
In some of my positions, managers have asked me to provide video or computer logs of a given employee activity. I always ask what objective they are trying to achieve. More often than not, the answer is, “I think they are doing something wrong. I want to
fire them and I need some evidence.”
I usually turn down these requests. I always recommend that the manager try to determine what wrongdoing has occurred and find a way to either witness the wrongdoing or, very often, ask the employee what is going on. This resolves the matter in at least 80 percent of the requests.
Also, examine the costs of applying controls across your enterprise. When you apply only technology to threats and vulnerabilities, you can fall victim to the pitfalls of FUD. FUD = fear, uncertainty and doubt. You run the risk of investing more and more into a technology solution that might only provide a financial return in a worst-case scenario. New technology is always available. As a result, you will always need to spend more to keep up. The amount of your investment should never exceed the value of the objects to control or protect.
When you recognize the human factor elements within your controls, you can apply costs that are more consistent across your controls.
30 SECONDS ON...
Take into account
It's important for managers to remember that when you set clear expectations for people, you affect how and if they meet those expectations, says Jeff Reich, information security officer, CompuCredit.
Trust is relative?
Further, when you examine your control points within the enterprise, include the human factor in each case, says Reich. He points out that it's normal to base good security on trust, but trust is relative.
A question of degrees
For example, if you trust someone enough to give them $5 to buy you a pack of gum and bring you change, you may not trust that same person to take $10,000 of your cash and deposit it in the bank for you.
Good business sense
To manage costs around controls, one must weigh potential losses against the cost of controls. It makes good business sense, says Reich, to find a meeting point that doesn't skew to either side of the fence.