Mandatory annual security training has become ubiquitous for IT professionals. The security policies define the expected behavior of associates in security-relevant situations, and are backed by various levels of disciplinary action for non-compliance.
Why is it so hard to get people to follow these policies? In many cases it is because the unwritten policies embedded in the corporate culture carry a higher cost politically or personally to the employee asked to carry them out.
When policies conflict with project realities in such a way that there is no “right” action, people will take the path of least harm first to themselves, then to the company. The unwritten rules of the company’s culture create systemic incentives that shape the path those non-compliant actions take.
If we understand the motivations for non-compliant actions, it is possible to reverse-engineer the cultural incentives in order to fix them. In my experience, this is far more important to preventing security breaches than the technical controls.
One of my past clients had a large messaging network with many nodes on back-levels of software. The projected cost estimates to upgrade the entire network ranged from $3.5M to $4M. To mitigate operational risk, extended support was purchased from the vendor. But most of the back-level nodes were so old they were ineligible for support. An inventory found that about $1.5M of the yearly extended support bill was wasted on ineligible nodes.
In this case, the incentive program that rewarded waste reduction was available to business analysts but not line-level support people. There had been several cases in which the vendor declined to provide support, and it was an open secret among the front-line support team that these servers were orphaned. Much of the work of patching fell on the same operations team, but they (Read more...)
This is a Security Bloggers Network syndicated blog post authored by T.Rob Wyatt. Read the original post at: Cylance Blog