Hi, I’m Ken Dawson, the CISSP-certified Chief Information Security Officer at ClearStar, and this is the next installment of For the Public Record—a blog that features thought leadership from the most seasoned experts on our staff, across all functions of the background screening process.
Most discussions, questions, and anxieties that we hear around information security, seem to be about things like firewalls, virus and malware detection tools, SSL/TLS, zero-day exploits, and sophisticated hackers. While all of the high-tech software and devices are important, information security is really all about people. If we look at it from the right perspective, we can see people are the key to understanding what we are securing, why it needs to be secured, and how we can effectively secure it.
What are we protecting?
The usual answers that revolve around data, systems, servers, databases, data centers, and source code hit at the various ways we store, access, and provide information. What they obscure is the real victim in any security breach—the people whose data is exposed. The reality is that it’s real people who are harmed when a security incident occurs—family and friends, coworkers, business owners.
By focusing on the real people who will be most affected by any vulnerabilities that can be exploited, we are able to see the true risks involved and prioritize our efforts properly. It’s often too easy to view all of this as having abstract, unnamed potential victims or to assign all of the risk to large entities like businesses or government agencies, but when we see that the impacts of the failure to address the risk is actually on individuals, it can help to motivate us to find solid solutions.
Why does it need protecting?
It would be easy to blame the potential vulnerabilities on insecure systems, aging software, inadequate controls, or unpatched servers. All of those can lead to exploits and breaches, but the root cause of the issue we’re protecting against is that people make compromises that allow access to the information. If you look at the latest publicly-revealed breaches, the common thread is that someone inside the organization was either careless about following procedures, was taken advantage of through social engineering, or was made vulnerable by an organization that didn’t implement controls with the necessary rigor.
These were all people-centered issues and not failures of technology or security controls. In many of these cases, the controls were in place but were circumvented through carelessness or a lack of vigilance. In other cases, it was the technology and security teams who failed to live up to their own security policies, leaving the person who was targeted open to the attack.
How do we protect it?
The answer is the same as the previous questions—people. What is needed to protect the information we are entrusted with is to have a solid team that is empowered to do what is needed, is trained properly so they know how to act, and is provided with the tools to do the job well. The tools and training will enable your people to avoid common vulnerabilities and attack vectors. The key to making this work is to empower them to work together as a team to act when necessary.
So the initial point of focus for us in information security should be placed squarely on people. That is, the people who trusted us with their data, the people who are most likely to be targeted by the bad guys, and the people who can work together to prevent the attacks from being successful. This is For The Record.