kevinbeaver

Want to bolster your security program? Keep users from making decisions.

Blog Post created by kevinbeaver on May 10, 2017

How many times have you witnessed security problems caused by a user making bad decisions? I'd venture to guess at least a few dozen if not hundreds. We've all seen where the perfect storm forms through weaknesses in technical controls, user training, and – most often – common sense and the outcome is not good. Best case it's ransomware or a similar malware infection. Beyond that, the sky is the limit. Before your organization suffers a breach and is having to answer to the news media and lawyers, there's one thing that you have to do: keep your users out of the security decision-making process.

Those of us working in IT and security are not in the business of making people feel good about their jobs. Rather, it's our duty to make sure that everyone is set up for success in day-to-day business processes. Every time you have a user faced with a security decision such as whether or not to click a link, setting a weak or a strong password, or updating software on their computers, you give away your power and put it in the hands of your users – where it does not belong. I understand that it's difficult to manage a network environment especially when you feel like users are working against your efforts every day. If anything, that should give you that much more of a reason to keep them from making security decisions in the first place.

I don't think it's insensitive or demeaning to keep people from having to make security decisions. They're not security experts. I know, your annual user awareness training session and security policies are supposed to cover all of that, but reality usually tells a different story. Like it or not, people make bad decisions and you have to do what it takes to keep them from doing so. In many cases, you can do this with technology. For example, in the case of passwords, if people are provided with the option to select a weak password, they will – most of the time. Ditto for backing up their data, updating their software, opening attachments, and so on. Throughout the history of humans, we have seen that people will, by and large, take the path of least resistance. What’s easiest and what's going to get them what they need sooner as opposed to later. Instant gratification is the name of the game.

Start thinking about how you can set your users, your business, and especially yourself up for success by taking users out of the security equation. Look at your business workflows. Look at your user on-boarding process. Look at your challenges with shadow IT, BYOD, and the like. It's everywhere across your organization. Some things are obvious. Others not so much. But if you look long enough and hard enough you'll find the areas where you need to control things using technologies, process adjustments, or just eliminating the situation altogether. If you continue to ignore this security challenge, your users will continue to make bad security choices, period. That's not what you want. Be proactive. Take charge. I strongly believe that if you spend enough time and effort in this one area of security, you'll can make huge strides towards minimizing your IT-related business risks.

Outcomes