In a world of ubiquitous technology, it’s never been more critical for organisations to have a robust security strategy. In an attempt to mitigate risk, Australian organisations have upped security spending by 59% this year. But in doing so, many are missing the point. Having the latest technology and processes is not a foolproof solution to information security. To be effective, a security strategy must be people-based. That was the message from Angela Coble, Director of Business Technology ANZ at Johnson & Johnson Medical (J&J), who talked to the audience at the recent CIO Summit in Sydney about how to create a positive security culture and turn employees into an asset.
A typical security framework consists of people, processes and technologies. Technology is taken care of by technologists; processes are frequently reviewed and updated, however the people piece is almost always an afterthought, or forgotten altogether. An organisation might have the best technological mechanisms in place and rigid training processes, but none of these are going to be effective unless there is a conversation created around it and behaviour is influenced. As PwC’s Australia and Asia Pacific cyber leader, Steve Ingram, told CIO Magazine, “It doesn’t matter how much you spend on technology… if your people don’t understand their role in cyber[security]”.
The human element is one of the biggest sources of information security risk identified, as well as one of the most difficult to control. A recent report by US defence and security consultancy, QinetiQ explains that employees are the main vulnerabilities to a secure organisation, citing human error, lack of staff awareness, and weaknesses in vetting individuals as common causal factors in security incidents. Worse still, 81% of large organisations that were victims of hacking in the last year stated that the actions of their employees unwittingly aided the attacker. QinetiQ warns that a lack of security culture is the reason many organisations are exposed to cyber attacks, and that CIOs must address the issue at the heart of the organisation and create a natural environment for secure employee behaviour.
Continuing with this theme, in Deloitte’s Technology, Media and Telecommunications (TMT) Global Security Study, 70% of organisations surveyed rated their employees’ lack of security awareness as an “average” or “high” vulnerability. As the report states, “People do not act securely by nature, and secure behaviour erodes with time, especially when there is a lack of security awareness. This makes life easier for any malicious party; you don’t need to hack the system if you can compromise the human.”
A security success story: Johnson & Johnson
At a time when attackers are making the most of employee negligence, and breaches are fuelled by ignorance almost as frequently as they are malice, technology-agnostic security programs are necessary. Under Coble’s leadership, J&J has mastered the art of people-based security. Coble joined the role at a time when traditional organisational borders were being eroded, but recognised that no matter how much the technology evolved, the one constant was the people in that relationship. As she said, “It’s all well and good to protect with technology, but what if someone in the organisation downloads something onto a PC?”. In what she calls “taking the IT out of security”, Coble decided to remove technology altogether from the discussion piece, and focus on changing behaviour.
This was in the form of a suite of engaging education videos filmed using real members of the security team, which sought to remind users about the importance of issues such as physical device security and protecting intellectual property, and showcased to the business how they can help in evolving technology whilst knowing the risks. By helping staff recognise real risks (intentional or accidental) and to understand that their behaviour can mitigate physical and virtual threats, the ‘human’ was secured first. Coble stressed the fact that creating a security culture in the organisation wasn’t about scaring people or having a “doomsday mindset”. Rather, it was about creating an awareness that doesn’t alarm by building relationships, a culture of trust, and helping people to do the right thing.
This seven video series improved all forms of security at Johnson & Johnson. Best of all, the investment was minimal. With “zero budget” to get the project across the line, Coble tapped into resources, training, and people’s time and turned that into equitable value – in the CFO’s terms. As Coble told CIOs at the Summit, “You don’t need a big budget in this space. Use the money you do get to engage third parties to manage the tech network, and you focus on engaging the people in your organisation. CIOs need to get better at embracing third parties – you can’t be doing everything for everyone”.
Many CIOs are yet to come to terms with the fact that IT security is a people issue, not one of technology. In most organisations, the technological mechanisms are in place, but there is little consideration given to the human behavioural elements. But technology can only do so much to protect a business against a breach when attackers are making the most of employee negligence. Without proper staff education and behavioural change, any technology investment is made in vain. The secret is to engage staff in the right way, so they can convert learning into tangible action and new behaviour. As Coble says, “When you give people the right skills and awareness they’ll acknowledge the behaviour and repeat it. That’s what securing the human is about”.
For a more in-depth look at the fundamentals of protecting the enterprise in today’s threat landscape and creating a security culture, download our complimentary how-to guide: Security in a world with no perimeters: A business-centric security architecture.