Can InfoSec really help save money? If so, are we selling the wrong vision?
If we talk about ‘safety’ as a topic, not ‘Security’, does that alter how people view what we do? Can we enable channel shift and the resulting cost savings as a result?
I had lunch with someone yesterday whose opinion I value (if not always agree with, but that means it’s never dull) and we were discussing one of the thorny issues in the security industry right now – education.
For years, we InfoSec and IA professionals have been banging on about the human angle of InfoSec. It’s true to say that we may not always get our message through to our colleagues and customers, as evidenced by the daily grind of losses and breaches across UK Public Sector.
But there is another far more serious angle on this, which is the education of Joe Public. The thread runs thus: in order to generate savings, Government needs to facilitate channel shift. Digital by Default, e-Government, you get the idea. This means getting the public to engage via the internet, generally from home machines or latterly smartphones. It’s not an unreasonable assertion to say that home PCs and smartphones are likely to be less secure than machines on ‘corporate’ networks. Therefore, connecting unknown and unknowable machines represents a risk to the Government organisations they connect to. Evidence to back this is the fact that banks and utilities give away free AV software to those of us that bank/pay our bills online. I don’t care how it works, I just know it’s free, and I’m told it keeps me safe. The payoff is, my unsecured and virus-riddled machine doesn’t connect to their system, because it isn’t virus-riddled and unsecure.
So the core question, which has been rolling around IA circles for a long time now, is how do you educate the populace? And oddly, it’s the same set of arguments that perennially roll around public bodies anyway – essentially how do I get my staff interested in InfoSec? Neither groups are regulated, both groups badly need to get InfoSec if we are to see real savings achieved, but neither see it as an important topic compared to say, paying the bills or just doing their day job.
Maybe it’s because, as I’ve thought before, InfoSec just isn’t that interesting as a topic to other people. I know. I know. But it’s maybe true. So how about we stop giving people the detail and say, ‘If you do this, you’ll be safe’. Safe is a positive word. Security is scary. Safe doesn’t have detail. Security has more detail implied. If you tell a parent buying their teenager a laptop that for a few more pounds they can have a machine that is ‘Safe to Use on the Internet’, as opposed to one (by implication) that isn’t, every parent will by the safe one.
Maybe we’ve been giving people too much detail? I’d welcome your views – because I’ve got lots more and I’d like an argument.