In the security industry, we see many kinds of biases influence our decisions. For example, when organizations spend upwards of 80% of their time and security budget on technology, and 10-15% on policy and process, it leaves very little room left for investment in the people in the organization. Contrast this with the knowledge that at least 82% of breaches can be traced back to human factors, it becomes clear that we need to change how we do things and who we ask to do them.
The information security (“infosec”) function of many organizations, if not entirely embedded within IT, can sometimes also be found within the GRC unit (Governance, Risk and Compliance). In this scenario, the infosec responsibilities are shared between IT and GRC, where the former handles all the technical aspects of information security (security infrastructure and application security, etc) and the latter usually handles policies, standards, risk management and similar topics. What about training and awareness, you ask? Well, we see that it often falls between the gap, and that neither IT nor GRC is taking charge on this topic. Perhaps it is time to add a separate function, focusing on this area.
The GRC-based infosec team works with internal auditors and privacy officer(s) to create policies and procedures that are designed to meet the privacy and information security needs of the organization and implement the processes developed.
With the IT-based team and the GRC-based team both focusing on the technical and the process-related needs of cybersecurity, a focus on the people element can often get waylaid. As they center on technical and organizational controls and not human factors, focus on the people element can get lost along the way.
Where in the organization of the information security function have we made room for specialists in understanding, incorporating, and leveraging the human element? Specialists who can help with designing and building the right security culture within the organization and have the power to influence the decisions of those that decide the technical and organizational controls being implemented. Problems related to human factors of cybersecurity are much more effectively solved when a multidisciplinary team (with expertise in cybersecurity, psychology, organizational theory, communication and human interaction) are involved.
It is people who build and implement the technology and processes that are designed to keep organizations and employees safe. Somehow in the evolution of these things, we have forgotten that people are also the ones using the technology and are expected to understand and follow the processes set out. If we fail to understand the mindset of our colleagues in other areas of the organization, who are also trying to do their best to do their jobs, we fail to notice the small areas of friction that accumulate across the organization as either the technology implemented or the process developed fail to make their own tasks easier, simpler or quicker to complete.
It is often said that people are by nature inherently lazy. But in actual fact, we’re just very good at finding easier, quicker and simpler ways of getting things done. We naturally and biologically want to find the most efficient ways of doing things.
At Praxis Security Labs we understand people, as well as risk and security. Our multidisciplinary team of experts help organizations like yours to reduce the friction in the security implementations in place. We investigate the current status, engage with stakeholders, and recommend improvements that reduce risk, and improve security.
Talk to the experts today to learn how your organization is improving their security posture!