Text
Managing risk and information security : protect to enable
Security and first-person shooter video games have one obvious thing in common: if
you’re not continuously moving, you’re dead. In this second edition of Managing Risk
and Information Security , Malcolm Harkins helps us move our thinking into areas of risk
that have become more prominent over the last several years.
Because there is so much new content in this edition, I will focus on a topic that has
risen to greater prominence since the first edition: people are the perimeter. When we
reflect on what has changed in recent years, with an eye to the vulnerabilities that result
in real-world compromises, a pattern emerges: virtually all the major breaches that we
have seen involve manipulation of people. When nearly everyone has heard of phishing,
we have to ask ourselves: why is it still such an effective tool?
The obvious theory is that we haven’t managed people risk as well as we should.
Perhaps we have been standing still and need to learn how to dodge and experiment
with the way we drive better people-security outcomes. Unfortunately, the path is not
100% clear. Unlike technology, the field of influencing human behavior in security is
remarkably complicated and supported by limited research.
Malcolm provides us with a great foundation and framework to build our
“security engagement” functions. I like to use the word “engagement” because it
speaks to how the security organization relates to the workforce in a manner that isn’t
simply bounded by the more traditional term “training and awareness.” Engagement
encompasses anything that shifts the desired behavior outcome in the direction we want
it to go. I have seen remarkable shifts in measured behavior from the use of
non-traditional tools such as security gamification and simulation.
The way Malcolm differentiates between “compliance” and “commitment” is key.
Managing Risk and Information Security is an ever-evolving classic in the field of security
management
No copy data
No other version available