You can't secure what you don't acknowledge.SM

Friday, January 9, 2015

Core human psychology principles are what hold us back with security

2015 marks my 26th year working in IT and my 20th year focusing on information security. I'm so fortunate to work in such an amazing field and even luckier to have gained some wisdom over the years that has allowed me understand the true challenges we face with information security!

As much as the vendors, researchers, and criminal hackers want us to believe it's the threats that cause all the problems, I'm convinced otherwise. Across the millennia of human existence, people with ill-intent have been a given - a fact that cannot be changed. Threats, both large and small, will always exist in the physical and digital realms. What can change is our approach to the threats we face, especially in the digital world.

You know the saying "It's not what happens to you but how you react to it that matters." That's nearly 2,000-year-old wisdom from Greek philosopher Epictetus. And it still applies to our world today! 

What's most important with information security is not just we "react" but how we "respond" and minimize the impact when things go awry. This can only be done through well thought out plans which, in turn, requires seeing the bigger picture and "getting" security.

I've written a few pieces recently on how human psychology impacts information security - both positively and negatively - such as:



Fortunately, I'm not alone in this thinking. One of the sharpest minds I know in security is Rob Lewis (@Infosec_Tourist) and I wanted to share with you a couple of recent posts of his that take an even more intellectual approach to this subject:
5 Stages of Infosec Adapt or Die
"Ask for Evidence", Part 2 - The Need for Squeeze

...You need to follow Rob - he has lots of great insight.

What I'm trying to say is know your enemies but, more importantly, know yourself, your managers, and your users as it's everyone else beyond the "threats" that you must rely on to do what's necessary to minimize information security risks. After all, the threats wouldn't have much to exploit if people weren't so careless in their approaches to IT and security.

Work on problems, not symptoms. Learn how humans behave well enough and you might just resolve so many of your security challenges that you put certain threats "out of business" altogether.

More coming from me in this area in 2015...Cheers to a great year!