When it comes to information security, having user support is as important as having management backing. But in many cases, IT and users can't find a middle ground, and IT's security demands can get in users' ways or power users create more work for IT.
However, user help is crucial for moving forward with security and minimizing business risks. Here are several things that you can do to gain user support:
- Understand why people don't listen or care. Some don't understand what can and cannot be done. Some know that policies won't be enforced. Others are just lazy. But perhaps the biggest issue is that many people's willingness to violate policies outweighs their perception of the risks involved. Their expectations haven't been properly set. Find out what's going on -- and fix these issues first.
- Express what's in it for them. People are motivated by the desire to gain something and move ahead or by the fear of losing something and falling behind. Get management to create incentive programs that are tied to employee reviews. Publicly reward good behavior, such as when a user detects a security problem and reports it early.
- Use outside expertise to reinforce your message. Outsiders are often able to better influence users simply because they are an independent source. It may not be any better than you could do, but hey, it works.
- Keep them on your good side by balancing security with convenience and usability. There's no better way to make people clam up about security than pushing draconian controls that get in their way of doing work -- or for that matter, goofing off. Regardless of the context, misguided security controls can leave a bad taste in peoples' mouths.
- Ensure that security is on the top of everyone's mind. Place posters around the office, use security-centric messages in Windows screensavers and so on. Repetition and familiarity are the keys to persuasion. If people see these privacy and security principles constantly, the concepts are bound to sink in.
- Realize that it takes time for people to accept new ideas. Thoughts and approaches to security -- and what this means for users and the business -- need to be presented casually and without pressure. Following these steps never hurt anyone. Once you have user attention, then you can present facts and logic.
- Make users aware of what's going on in IT, especially in information privacy and security. Suggest various IT sites and articles on information security. The Privacy Rights Clearinghouse Chronology of Data Breaches is a good resource.
Users are important for avoiding malware, keeping mobile devices secure, defending against social engineering and responding to incidents. They're a great first and last line of defense, and sometimes they're your only line of defense.
It is important to do whatever you can to win over users and keep them on your side. It's one of the most valuable skills you'll ever develop.
|ABOUT THE AUTHOR:|
| Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker and expert witness at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments and helping IT professionals enhance their careers. Beaver has also written and co-authored seven books on information security, including Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. He can be reached at firstname.lastname@example.org.
This was first published in November 2009