The No. 1 Security Risk, and the Effective Solution
Billions of dollars, countless vulnerability assessments, thousands of innovative security solutions later, and we still haven't moved the trusted worker off the top of the list of known threats. Why is this?
It's not for lack of effort. Most organizations have policies, procedures, some form of training, and hopefully some network activity monitoring capabilities. Some organizations have strict hiring criteria, multiple authentication protocols and an IT security officer. A rare few have the money and resources for real-time monitoring of access to, and changes on, the network.
Trusted workers remain the number one threat to IT security because technological solutions, for the most part, don't impact the behavior of the worker.
And still, the people we trust with our confidential information are deleting, corrupting, leaking or stealing it.
And now that our mobile workforce expects "anywhere access," the network perimeter has effectively dissolved. Our workers have vastly more freedom of movement and access, but need to be more accountable to policy compliance, confidentiality and appropriate use. So how do we assure compliance?
Awareness In Depth
Cognitive scientists have been telling us for decades that behavior is hard to change. Habits are hard enough to change, but character behaviors are harder. Military across the globe use "boot camp" to break down old behavior patterns and imprint new ones. "Carrot and stick" psychology has been the dominant model since the beginning of civilization: "If you do this, then you will get that." "If you don't do this, then you will not get that." It's called the "If-then" dynamic.
A new model of motivation is starting to take hold even though it has been available for over 40 years. It's called the "Now-that" dynamic. "Now that you have done that, you can have this." Daniel H. Pink, in his latest book "Drive: The Surprising Truth About What Motivates Us" summarizes this new motivational paradigm shift.
In short, trusted workers remain the No. 1 threat to IT security because technological solutions, for the most part, don't impact the behavior of the worker. If you're not monitoring everything your worker does, and giving them feedback about it, their behavior will not change on its own.
The effective solution is "Awareness In Depth." I coined this phrase to complement "Defense In Depth," the idea that multiple layers of security controls strengthen overall security, because if one layer fails others are there to compensate.
Awareness in depth applies the same principle, but in an additive way. A change in behavior requires a change in consciousness (awareness), disposition (attitude), valuation (appreciation) and focus (attentiveness or mindfulness). We tend to do what we want, and not do what we don't want. So the remedy comes from changing our capacity of awareness to know what is necessary, our attitude toward why we do it, our appreciation and shared ownership of what we must do, and a heightened level of mindfulness in order not to slip up. We need to change what our workers want.
At Southwest Washington Medical Center in Vancouver, Wash., we have Awareness In Depth.
- Multiple applicant screening criteria;
- Rigorous interviewing processes;
- New employee orientation;
- Confidentiality and privacy agreements, signed upon hire and each year during review;
- Policies, procedures and processes, including appropriate use and access monitoring;
- Departmental and computer-based training;
- Annual, mandatory, web-based training modules, including IT security, privacy, appropriate use;
- Annual "MUMs the Word" campaign;
- HIPAA, confidentiality and IT security;
- And most important, a culture of caring and excellence.
Southwest's Vision is "Exceptional medicine. Extraordinary care. Every person." We can't achieve our mission unless everyone is on board with how we get there. And that requires exceptional attentiveness, extraordinary caution, with every worker.
The effective solution is available to all of us, if we collectively want it badly enough.
Christopher Paidhrin is the IT security compliance officer at Southwest Washington Medical Center in Vancouver, Wash. He has worked for many years in IT and business operations, in higher education, the private sector and entrepreneurial environments, where he has held numerous director-level positions. He can be reached at firstname.lastname@example.org.