Employ people who 'get' infosec


Organizations that take information security seriously enough to adopt good practice standards such as ISO27k generally appreciate the need to integrate infosec with HR processes. They have pre-employment screening, on-boarding processes such as security induction sessions, continuous security awareness & training where appropriate throughout employment, and off-boarding/departure activities when the employment or service relationship comes to an end. The key controls are laid out in black and white in section 7 of ISO/IEC 27002:2015. Most such organizations have security-related policies and procedures, along with compliance activities plus enforcement and reinforcement. Very few organizations manage without employment or service contracts, codes of conduct etc., often mentioning compliance. 

Despite all that good stuff and more, we are repeatedly told that 'people are the weakest links', in other words we're not home and dry. We haven't nailed it yet.

Why? What are we missing?

Well, first of all, some organizations simply don't take infosec seriously. While some take the standards route, many more pay lip service to infosec, although they may not appreciate how little they are doing, and I doubt any would ever admit as much. 

Secondly, theory =/= practice.  Information security standards are seldom fully adopted, each organization having different circumstances, pressures and objectives. Even certification to ISO/IEC 27001 does not force the organization to adopt the controls in Annex A or ISO/IEC 27002, let alone "fully". Some evidently delight in spending and doing the least amount possible to gain their certificates. I guess either the business benefits that would be expected to flow from protecting valuable information assets aren't visible and attractive enough, or they simply don't have the resources to invest properly in infosec. 

Thirdly, attitudes and beliefs towards infosec etc. vary among the general population, demonstrating cultural variations that can be substantial (e.g. intellectual property rights are almost meaningless in China, it seems). There is a need for education and public outreach programs going beyond the enforcement-driven anti-piracy campaigns, and those lame malware and phishing public service announcements to take in the ethical, creative and commercial dimensions for instance.

Fourthly, thanks largely to the endless marketing onslaught from tech/IT security companies flogging their antivirus and firewall products as if they are The Ultimate Answer, plus naive journalists and politicians swept along by the promise of technology "solutions", there is a widespread over-emphasis on IT security or (exploiting the latest fad) "cybersecurity", to the detriment of other aspects including:
  • Human aspects - the main subject of this rant;
  • Governance, risk and compliance;
  • Physical security;
  • Legal and regulatory aspects.
Fifthly, organizations are collections of people who vary in their individual levels of security awareness, attitudes/beliefs and practices. They vary both between each other, and vary over time. We all have our off-days!

That roundabout mind-ramble led me to the title line. Why don't we preferentially employ people who 'get' information security? In other words, if we take infosec seriously, shouldn't infosec be one of the criteria or parameters we use when selecting and promoting people? I'm not just talking about infosec pros: if we honestly believe that 'We are all responsible for information security', then surely it is important for everyone

Well OK, how could we put this into practice?  Here are seven pragmatic suggestions off the top of my head:
  1. In conjunction with HR, raise this issue with senior management. Explain the situation, report relevant metrics, lay out strategic options for their consideration and garner their support.

  2. Incorporate information security and/or related aspects such as privacy, compliance, assurance, trust, ethics and risk management in general terms into the promotional materials, vacancy notice boilerplate, 'About us' pages and so forth. Emphasize that management values the corporate security culture, hence candidates/applicants who espouse the same values are likely to be more successful than those who ignore or despise them.

  3. Systematically identify and emphasize the specific infosec-related aspects of jobs in vacancy notices and job descriptions, plus the associated personal competencies and (where applicable) qualifications, in the same fashion as various other requirements are described. Prioritize this for positions in which infosec etc. are core parts of the role.

  4. Provide policies, procedures, guidance and perhaps training for anyone conducting job interviews concerning the infosec expectations of suitable candidates. Add suitable reminders or criteria to the forms typically used as part of the interview and employment process e.g. ratings for the candidate's security awareness level ranging from "blissfully ignorant" to "security evangelist". Increase the weightings on security awareness, trustworthiness etc. for roles where it matters the most.

  5. Survey the workforce (staff, managers and pseudo-employees such as contractors, temps, interns, consultants and advisors) regarding their infosec attitudes, knowledge and competencies, and use the survey results to drive through suitable, whole-organization and tailored awareness and training activities.

  6. Proactively reward and encourage those who go the extra mile, for example by reporting infosec issues, risks, events, incidents and near-misses, or engaging in infosec-related activities such as awareness sessions, risk workshops, documenting or reviewing and commenting on infosec policies and procedures etc.

  7. Identify and deal appropriately with individuals who evidently do not espouse the corporate values. This implies systematically monitoring various activities, behaviors, attitudes, incidents, concerns etc. for indicators of concern, assessing them and acting accordingly. Essentially it's a risk management problem. As with other kinds, it makes sense to prioritize the highest risks, such as potentially unethical managers or IT pro's who flagrantly disregard various policies and procedures. 
I'm not saying it's easy though. It's bound to be tough if senior management and HR don't 'get it'!