As we’re prone to do here at RMI, I’ve been thinking hard about security, risk and how organizations can become more effective.  We’ve been thinking very hard about metrics and measurement and governance and compliance and assurance and so on and so forth.  And one thing hit me funny today within that context, it’s the mention of the axiom “Security is a People Problem”.

In his article, “What can CISOs learn from the Societe Generale debacle” Khalid Kark writes:

Security is first and foremost a people problem:  Societe Generale probably had good set of security products and technologies in place, but all the security technology in the world won’t necessarily help if an employee is in a position to figure out the processes and has the ability to disable the alarms. It does drive home the point that the insider threat may not be the most popular form of attack, but it usually is the most damaging.

When most people use the phrase, they mean it in this context - it is an association Deming’s second obstacle; “Relying on technology to solve problems” with the practice of Risk Management.  Arthur of Emergent Chaos was kind enough to offer his opinion when I briefly chatted him about the subject.  When asked, “What do you think people mean they say ’security is a people problem’,  he replied:

Mostly, I think it means that people are inherently trusting and also lazy, so things like phishing and soc. engineering tend to work even on trained people.  It could also mean that security that doesnt’ take into account useability is doomed to fail if it’s going to make people jump through hoops.

SECURITY IS LOTS OF PROBLEMS

Now I think both quotes are correct.  And as I’ve thought about the subj. this AM, I’ve come back to the concept that any individual security “issue” is really related to some human actor (even a natural disaster as a cause impacts people and quality of service). But what does that mean for Risk Mangement?  If individual issues are at the whim of the individual actors involved, does that mean Risk Management is a “people problem”?  May I answer “Yes”, but with a caveat?

RISK MANAGEMENT IS AN ORGANIZATIONAL BEHAVIOR PROBLEM

So if the specific act of “secure” is mainly in the hands of people (in ability to attack and/or defend), then, in my mind,  Risk Management becomes an Organizational Behaviour problem.   An organization, though made up of people, almost always acts differently than the whim of any one member.   Let  me offer that IRM is an Org. Behaviour issue because:

1. The risk tolerance of an organization is (should be?) set by the board and by senior management (a group or groups).
2. This risk tolerance is expressed by Policy.  It is organizational communication from the group in 1 to individuals who are now all individually accountable in the same manner (they are treated as a group or organization).
3. The effectiveness of matching “security” to risk tolerance is a function of the security department, audit, external stakeholders like consultants or government actors, and senior management (in their willingness to allocate resources to an operational expense vs. some other “bucket”).  Again, groups (or organizations) of people working under the same premise.

In fact, if you read the Forrester blog post through the lense of Org. Behaviour, you’ll find that many of the lessons to be learned mentioned there aren’t so much people lessons as they are organizational lessons - because what enabled the security at Soc. Gen. was a break down not in technology, not in control, but in the absense of controls, and therefore is a Risk Management issue at it’s heart.

I say Soc. Gen. was a Risk Management issue because Sr. Mgmt. there should have been aware of the risk.  It’s not like this hasn’t happened before (in fact, I recently read a good breakdown of freuqency of such incidents from Protiviti in which they show that these sorts of things happen every 18 months or so).  So  either Sr. Mgmt. was aware of the risk and did not act upon it by changing the behaviour of the organization (my point two, above), or they were not aware of the risk - an ignorance that could only be the result of a non-chalant view of Operational Risk by Sr. Mgmt (point one).

AM I SPLITTING HAIRS?

If you accused me of being to particular here, I’d probably plea “guilty” (after all, people *do* make up organizations).   But if we’re going to actually apply fields of study to the problems in our industry, we can not  ignore the differences between affecting individual actors, and affecting the organization as a whole, and the key to understanding how to influence an organization is to understand Organizational Behaviour.

In addition to his 14 points and 7 deadly diseases, he has 4 “Lesser Category of Obstacles” that organizations must overcome if they are going to reach a decent solution to the problems they face. However, whereas Deming wrote these for individual businesses, I think of these in context of our general industry.  My comments are generalizations, to be sure, but I think these characterizations are not without merit.

In no small way, we do collectively operate as an ad-hoc organization.  We’re not unionized or otherwise federated, but there is a certain brotherhood even among the disparate personality types in our industry (despite how snarkily we deal with each other at times).  If we can allow ourselves to think with a federal vision for the industry - acknowledging that the answers we seek are neither simple nor apparent - then I believe the Lesser Category of Obstacles can serve as guidelines from which to operate as we move forward.

DEMING’S LESSER CATEGORY OF OBSTACLES:

1. Neglecting long-range planning.

Despite the best efforts of many very smart people in our industry (Read or Listen to Ranum on the future of the industry), this is an issue that those with the power and ability to shape the direction and future of InfoSec (i.e. standards bodies and governments) seem to need address.  The balance between prescriptive ISMS and flexible governance is a grey area that needs more separation of hue, more direct study of how and why Governance, Risk and Compliance can and should work together to protect not just consumer data, but the interests of the data owners.

2. Relying on technology to solve problems.

I don’t think I need to write a ton about this one.  If you’re confused and think that technology will solve your InfoSec issues - I’ll refer you to Richard Bejtlich on the subject.

3. Seeking examples to follow rather than developing solutions.

Too many professionals seem to suggest we take the lazy way out.   “Just give me a prescriptive ISMS and allow me to transfer my risk to the checklist.  Whatever you do, don’t make me think about the best way to secure my data because the uncertainty involved makes my stomach all knot up.”

Let me offer that this mode of thinking is not only an offense against Deming proverb #3 here, it’s also a sin against #1, 2, and 4.

4. Excuses, such as “Our problems are different.”

*ding*ding*ding*ding*ding*

We *have* to get over ourselves.  I would offer that we must humbly view ourselves as just are another area of operational risk, without pretense for our perceived intelligence.  They say a little knowledge can be a dangerous thing.  I would offer that just because we’ve lost our innocence concerning the level of sophistication needed to utterly destroy a corporate body using “cyber-warfare” doesn’t mean we’ve got any claim to intellectual superiority concerning risk and the decisions our organizations make (despite our recommendations to the contrary).

Once we realize that, fundamentally, we’re not as unique as we think we are - we can stop pretending we’re an island and start looking to what other disciplines do and learn from them.