I was struck by a comment last week from a security vendor. The article appeared on Ars Technica, and the journalist, Rupert Goodwins, was deploring the fact that most vendors of security tools cannot say how effective their solutions are. “If vendors were doctors, then indeed many of them would get struck off the medical register,” he commented.
But walking around the floor of Infosecurity Europe 2016 he did find one or two exceptions:
A bright-eyed booth denizen leapt out at me asking if I had any questions about their product, Phishu. So, I asked. “Some of our customers report 100 percent success, but in general we reduce the number of incidents from around 30 to 40 percent successful phishing attacks to three or four percent.” And how does this remarkable technology work? “Oh, it’s not a technology. We’re a training company. We teach employees how to be safe.”
Remarkable. Not just that someone is prepared to say how effective their offering is, but that the solution lies within people, not tools.
The answers to a lot of our problems are found in people. If we have a systemic problem then a sensible response is to change the system. One of the most powerful ways of changing a system is to change the way people work and interact because so many systems, at heart, centre on people.
Like so many problems, security problems are systemic to a large degree. And like so many systemic problems they’re easy to miss. Any security threat can be reduced to something specific, and a specific solution is most likely available—a software tool, for example. But there are an awful lot of very specific threats, and we will end up playing whack-a-mole with them—buying more and more specific solutions until we run out of energy.
Talking, educating, training, coaching,… These are all good ways to make systemic changes. Tools still have their place, of course, but they have to be underpinned primarily by appropriate human behaviour. If the tools and constraints we give people don’t work for them they will find ways round them—and this may go under the radar. If we win hearts and minds then we will have a much more embedded, intelligent, flexible way of working.