As 2011 draws to a close, inspiration for the way forward in the information security industry is drawn from the past and a man outside of it: Apple’s former CEO – Steve Jobs, who passed away on 5th October, 2011.
It was interesting to see the huge number of tributes for Steve Jobs, when he passed away in October this year. Has there ever been such a response for the death of a technologist? Steve Jobs’ death produced tributes from people from every walk of life and all corners of the globe: from Presidents to Prime Ministers; from rock stars to every day users of their products. Steve Jobs was a special person, who instinctively knew what his customers wanted – without asking them. He saw the value of technology as an enabler: in improving people’s lives- but he absolutely understood – that most people are not fascinated by the technology in itself but what it can do for them in their everyday lives (in the same way the motor car was an enabler in the last century: few people are concerned with how they work). Apple’s products all have an underlying intuitiveness about them that really does allow their users to unplug and use them straight away– without assuming any technical knowledge hitherto.
Most of us, however, do not possess that instinctive insight that Steve Jobs’ had – we have to do our market research with our target audience first. Historically, many information security professionals will not engage with end users at all – since these are the people -they believe – will ask for things they can’t have and do all the things they don’t want them to do.
Some years ago I was brought into an American Investment bank as project manager, on a desktop platform refresh program that had previously failed miserably in its objectives. Successive project managers had come and gone on that project, and it always seemed a case of one step forward and two back previously. Typically – for the IT department – the team were kept out of sight and out of mind in the lower dungeons of the bank: safely away from daylight and customers. There wasn’t even a telephone for the team – all communication had been done via email previously!
I decided that as well as talking to the head of each business unit to determine what was their requirements were, I would also – shock horror!- talk to the end users of each team to determine and capture which applications they used and how they used them in their day to day tasks. I also initiated a series of end user tests, and ensured that a representative from each team came down and tested the applications before the desktop builds were approved and shipped back to the respective end-user desks. When business managers asked why we would be asking for 30mins –of one staff member’s time for testing, I explained to them that this was improving staff productivity, by reducing helpdesk calls and eliminating the need for recalled failed builds. This strategy payed off: not only did we retain this business we went onto to win further rollouts for other parts of the bank.
This year I’ve heard and seen things which beggar belief. A consultant proudly boasting that the organisation he was contracted to work for “deserved data breaches” because “their staff were uneducated” (worse still, he meant this in a generic sense, not specifically to information security best practice education). I’ve also heard all security vendors being branded as “snake oil vendors”. An interesting concept – I don’t think we’d have much of an industry without security vendors, and I’ve come across one or two unscrupulous practitioners in my time who have a scant disregard for data privacy themselves to whom the disingenuous adjective could easily apply.
Whilst there certainly are some security vendors around to whom the adjective “snake oil” can easily be applied to (and a reputable re-seller recently reminded me of one): those that have little respect for their customers’ product feedback; who are in the business purely to make money without advancing genuine information security; and whose products are so desperately clunky to use that they require reams of documentation to use them; that greatly reduce user productivity and encourage their end users to find a workaround, and thus bypass security policy. Equally, however, there are some innovative vendors on the market that are genuinely interested in advancing information security, by helping develop new standards; thinking of helping the SME community by taking away the laborious task of log oversight from them and outsourcing it to specialists; or helping to secure the use of the cloud. I’ve come across all these types of vendors too this year. To label all security vendors in the same fashion is not only disingenuous to all vendors but also rather childish.
Earlier this year when I interviewed the UK’s Information Commissioner, Christopher Graham, for the ISSA, he remarked how he felt that end users were just not getting the message regarding data protection. Too often we see the same old problems: users not being educated, making basic mistakes. Personally, I think we have an industry that’s geared up for messaging aimed mainly at board and manager level and around legal compliance, so is it any wonder? Who is teaching the end users how to handle personal data correctly, and what should and shouldn’t be stored regarding credit cards on a day to day basis in their jobs? Similarly, I’ve always disliked the industry term “evangelist” – widely used in our industry – since that implies preaching! Who on earth likes being preached to? Perhaps that’s why few end users are listening.
We urgently need an approach where information security professionals think about being business enablers, whilst enhancing security, and can talk in a language that their end users understand. For twenty years plus now, we’ve been thinking that all our problems will be solved if only we throw more technology at it. Yet still we see data breaches. Similarly, we need security products that are focused at improving end user productivity, rather than working against the business. Then users might stop looking for workarounds, to both the solutions and hence their security policy.
If only Apple did iSec!