Security professionals are constantly faced with a conflict between the security team and the rest of the business.
Implementing new security policies, tools and practices can be challenging, as security professionals and end users may share different views on security-related activities.
Security programmes cannot succeed without considering people
David Ferbrache, technical director at KPMG UK, says: “No approach can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation, and, most of all, how we can create a security environment which helps people feel free to actually do their job.”
February’s book of the month, The Psychology of Information Security, identifies the reasons behind employees’ security decisions and examines why the choices they make are often non-compliant:
- There is no clear reason to comply.
- The cost of compliance is too high.
- The means of compliance are obstructive.
To ensure that users comply with policies, it’s important that the security team also considers employees’ behaviour and staff’s attitudes towards compliance.
Considerations when communicating new security policies
The Psychology of Information Security provides the following recommendations when communicating new security policies, tools and practices to impacted teams:
- Articulate the benefits – ensure you position any new processes or tools in a way that highlights the benefits to each group.
- Provide clear steps – clearly outline the steps to allow staff to realise these benefits.
- Communicate frequently at the right level – communication needs to start at the top of an organisation and work its way down so that priorities and expectations can be aligned.
Create a robust security culture that is understood by your staff
To fully understand human behaviour and end users’ motivations, we recommend you read our book of the month, The Psychology of Information Security.
This bestselling book is based on insights gained from academic research and interviews, and considers information security from both end users’ and security professionals’ perspectives. It will help you:
- Ensure the success of your security programme by revealing the psychology behind information security;
- Mitigate many of the challenges faced in risk management with helpful advice and tips; and
- Improve your security culture and find the balance between security and productivity with valuable insights and recommendations.