There’s no such thing as perfect information security. However, through developing our behavior patterns, thinking and security culture, we are able to improve our information management and protection. Once we as people take control of the situation, the technology will follow.
Individuals don’t understand information security
During last spring’s project, I came to think that development projects related to information security management are often approached from the perspective of security, organizations, data systems or technology – and by emphasizing the threats. There’s talk about frameworks, risks, operating models, policies, management methods, processes, systems, techniques, vulnerabilities, attack vectors… the list goes on. Jargon abounds but nobody seems to talk about the people and their needs and expectations – let alone feelings! – except when they’re seen as the careless culprits of security-related problems. We humans are the weakest link.
It’s entirely natural that information security is causing trouble for people, as it’s a holistic topic and therefore difficult to manage. That’s because information is not tangible, and we Average Janes and Joes have no practical understanding of the value of data. Our imaginations are simply not capable of figuring out how information can be abused. Data is something that can be found inside devices and systems that we can just barely use and whose operating principles we don’t understand. No wonder we may feel insecure and defenseless against all the complexities surrounding us.
Often the topic is approached from a perspective that is either too narrow or one-dimensional. For instance, business management may view information security as an IT problem or purely as an exercise in bureaucracy with its data security policies, certificates and agreements. A software developer’s understanding of information security may not extend beyond their own secure coding. A UX designer, on the other hand, may look at the topic from the viewpoint of service logins. However, between these points-of-view, there are several others to consider, including the following:
- Who owns and manages information security development? How can people be engaged to be part of the development?
- How is risk management carried out, and how is information security taken into account in the planning of business continuity?
- How can one ensure that people have sufficient knowledge of IT and policies, as far as such knowledge is required in light of job descriptions and data processing requirements?
- How have the protected assets (information storages) been identified? How has the responsibility over the assets been assigned?
- How has one made sure that the practices and policies of system and software development produce secure solutions?
- How has one ensured the safety of software operating environments (infrastructure)?
- How is the service being monitored, and how are security breaches handled and recovered from?
- How has one ensured people’s physical safety?
- How has one ensured the safety of the staff? What about the subcontractors?
- How does one monitor the effects of information security management? How is it developed as part of the overall business?
- Which best practices have been adopted or which service provider guidelines have been used to ensure security?
- How does one demonstrate (e.g. during an audit) that the plans have been carried out as described?
When I look at the list above, the sheer length of it still manages to amaze me. It’s difficult to understand the overarching effect that information security has. In his book “Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own” Dejan Kosutic writes about this lack of understanding as follows:
There is actually one top reason that most information security practitioners are emphasizing, that is responsible for the failure of their projects: lack of understanding from top management and, consequently, lack of their continuous support.
However, top management is not the only problem. Very often, information security practitioners are, if not completely misunderstood, then at least avoided by other employees in a company.
The solution to this problem? You are probably not going to like this: you have to become a combination of a diplomat and a salesman. You’ll have to sell the idea of information security to your management, to your employees, and to your partners, and you’ll have to use all your power of persuasion to convince them. And no, your job as information security practitioner is not only about safeguards or security processes – it is primarily about psychology and convincing people around you.
In other words, information security management is a psychological and interactive endeavor – a job for humans.
Focusing on people through service design methods
Managing your information and data security should be a civic competence as much as knowing the traffic rules (’Internet user’s license’, anyone?). Similarly, the designers, developers, and operators of digital services should possess basic skills in managing information security on their own turf and understand that the responsibility over information security is shared. Ask yourself these questions: Do the company values and culture support continuous development and learning at the workplace? And, is it OK to admit that you don’t understand what information security entails and that you feel uncertain about how it affects you? Developing our skills and understanding would allow us to strengthen our weakest links. In time, the links in our chain would form a network that would protect the information which is just as important for us people as it is for business.
If human error is really responsible for 90% of reported data breaches, why won’t we develop organizational information safety management in a human-based or at least human-centered way. When developing management methods, the development process should involve the people whose work is affected by the management from the get-go. Such an approach is more likely to produce solutions that people are happy with. This will subsequently lead to improved policy adoption and impact. The people who take part in the development may also become spokespersons for the solution, thus helping to carry the desired change through.
The tools of service design include lots of useful methods that help in understanding people’s thoughts, needs, feelings, and experiences. They also include ways of engaging people in the process of developing and planning solutions that are right for them. Interviews, surveys, observations, task analyses, cooperative development during workshops, and of course data analytics, are examples of some of the more traditional approaches. A design engineer’s toolbox similarly includes tools, methods and ideas that can be used to test the functionality of the designed solutions, for example by testing prototypes or carrying out other quick tests.
Designers often try to see the big picture and map out systems in a comprehensive and visual manner. This same approach can just as well be used in the development of information security management. The connections between the protected features, threats, vulnerabilities and management methods are both numerous and diverse, so making them easier to understand and discuss calls for some exemplification. Even a simple illustrative visualization is worth more than a thousand words.
Today’s design work often uses canvases (e.g. Lean Canvas) to support information collection, visualization and process flows. The spring project inspired me to outline a couple of such canvases, which may help in developing information security in a human-centered way. The first one is suitable for the initial mapping of the project and defining its objective and current status. The second canvas aims to bring attention to the individual in the middle of all the information security management development. What’s the weakest link like this time and how could it be strengthened?
I will attach these canvases to the second part of this blog post where I share my thoughts on how they could be utilized in the development process of human-centered information security management.
Taking the bull by the horns
Information security and its comprehensive management may easily seem like an abstract topic that’s difficult to tackle. And even if you manage to familiarize yourself with it, you will soon realize the vast amount of work that needs to be put into it. Even a small organization can easily have numerous data devices, systems and thingamabobs that are in daily use and contain sensitive information not meant for prying eyes.
Don’t be taken aback by the size of the task ahead, but start purposefully building a world without fear for tomorrow. Design methods and design thinking can be applied, in addition to the service or design itself, in designing any underlying business processes, policies and other management methods in order to create a safety net around the valuable information your business possesses.
Another key tool in this development work is risk management. After picking the low-hanging fruit provided by the organization’s existing system and its management, such as access policies and two-step verification, why not turn the team’s and organization’s attention to risk recognition and analysis? This work ensures that everyone’s understanding of the asset in need of protection and the threats it may encounter increases and that the development backlog of information security management gets prioritized.
Ask yourself, what is the probable threat that would bring your business to a grinding halt if it ever materialized? Start by making sure that your organization is safeguarded against whatever your answer was and engage people in the design of the solution. Then just keep moving forward – one step at a time.
Some final words
I’m betting that many digital service product owners are probably now thinking about the state of their information security. This is something that should be discussed openly and with the team.
All that’s left to do now is to take the plunge. Who knows, maybe your next sprint will already include some tasks related to the topic.
Read the part 2 of this blog here.