Despite its grounding in all sorts of complex technology, information security is ultimately a human endeavour. That is the argument made by Mark Nicholls, head of information security & governance at one of London’s largest and oldest housing associations, Peabody.
Ahead of his panel appearance at Cloud Security Expo, Nicholls discussed the best way to help your people stay secure, without creating a ‘blame’ culture.
“Users are the weakest link.” This phrase is often rolled out, and has gained serious traction when discussing cybersecurity. Nicholls, however, is not a fan. He argues that colleagues, customers and partners can actually be the strongest line of defence in the fight for information security.
At Peabody, Nicholls tries to ensure his team are always on hand to give help and support, and encourage people to speak to the team if something doesn’t feel right – even if nothing comes of it, he argues, it is better the team knows.
By combining this approach with awareness and education, and avoiding a blame culture, Nicholls believes his colleagues are empowered to become security champions, rather than being afraid of it.
Changing security culture
It is an unfortunate fact that organisations with this structure are probably the exception. Changing behaviour so that people feel more able to approach their information security team can be difficult.
Opening up a conversation with an example helps people understand how better practices can directly affect them
Nicholls recommends starting at the top. By leading through example and changing the culture at c-level, it’s far easier to instil an enthusiasm for security throughout the organisation.
At Peabody, Nicholls notes that the CEO had previously seen information security as something purely for the IT team to worry about. After the director of finance received an email from somebody masquerading as the CEO, asking for a money transfer, did he realise the importance of security, and the role that everybody has to play.
Following that, the CEO took part in a short video for staff, where he spoke about the importance of information security. Personalising the risk in this way, Nicholls argues, is far more impactful and helps people become aware of what they need to do and need to know.
That human element is key. In Nicholls’ experience, people seem to be relatively adept and aware of security risks when doing online shopping at home, for instance. But once they enter the workplace they tend to see the personal impact to a lesser extent.
Opening up a conversation with an example helps people understand how better practices can directly affect them. Nicholls once explained to a member of HR staff that by leaving their workstation unlocked with the HR system open he could change the bank details of their payroll record so that their salary could be paid to him.
This action would have affected them very directly in the sense that they wouldn’t be able to pay their bills. That person, Nicholls says, now locks their workstation whenever they leave their desk, and encourages others to do the same.
How InfoSec has changed
Having started his information security career in academia 12 years ago, Nicholls’ career developed through traditional IT roles and into more specific security responsibilities. A chance meeting at another university led to him joining a group of security professionals based in London, who collaborated and brought new ideas together.
By consistently saying no security teams can be seen purely as a barrier, which encourages a move towards ‘shadow IT.’
Discussions at this group made it clear that they were all facing the same challenges. At that time, there were very few full InfoSec teams in academia, and looking back now, Nicholls sees a similar trajectory to maturity in different industries.
What this path to maturity does cause, he argues, is a stifling of collaboration. In the commercial sector, where competition drives a lot of behaviour, this is particularly true. According to Nicholls, this approach doesn’t help the end user. Cross-sector collaboration, he says, has a long way to come.
Saying ‘yes’ – securely
By consistently saying no, and blocking requests, security teams can be seen purely as a barrier, which encourages a move towards ‘shadow IT.’
At Peabody, there is a need to share sensitive information with partners. However, because IT had not previously come up with a solution to securely share this data, they had been telling staff not to do so. That led to some people using Dropbox, which obviously the IT department can’t control.
Nicholls’ approach was to embrace the challenge and look for a solution that would not block business-critical operations. The result was a successful, award-winning solution.
The relationship between InfoSec and the rest of the business
The security team, Nicholls notes, are trusted by the rest of the business to deliver secure solutions and keep them safe. Evaluating risk is a big part of that job, and a mixture of solutions can be put in place that means the InfoSec team can be seen as an enabler rather than a blocker, while also satisfactorily keeping the business secure.
At Peabody, there is backing from the most senior staff on this point. Nicholls says his first exposure to the board was with the signoff of the overarching information security policy. At the time this happened, the chair of the board was also involved with an NHS trust that had been affected by the WannaCry attacks.
This meant they understood the risks and was familiar with the consequences of an attack. As such, Nicholls and his team gained the full support and backing of the board. This, he says, is a vital ingredient to producing an effective and secure InfoSec policy – but also one which allows them to say yes.