Hey, wouldn't it be cool if, instead of constantly having to patch our systems or put up with security bugs and flaws, they were secure-by-design? Suppose security was the default, not an obscure option that is difficult to find let alone turn on. Imagine if vendors and business partners took our information security seriously enough to want to discuss mutually satisfactory security arrangements when drawing up contracts and agreements.
You can either dream on or do something about it. We chose the latter, hence this month's brand new awareness module covers security architecture and design - not something most security awareness programs get in to, but we've never been a company that follows the herd.
One of the ideas we bring up is to make use of design principles used in contexts other than information security. The engineers' approach to 'safety, security and survivability', for instance, is easy to transfer, while health and safety's hazard analysis is essentially the same as information security risk assessment. The point is to help employees (staff, managers and IT professionals) shift from more- to less-familiar territory, draw analogies, and most of all spark their imagination and interest. Motivating people to behave more securely is tough, especially with such a dry subject, but simply publishing your information security architecture and design policy on the corporate intranet just won't cut it - assuming you have one, that is. If not, there's a model policy in the module, as usual, to get you started.
No comments:
Post a Comment
The floor is yours ...