One of the easily recognized weaknesses in any system is the user. We want to be gentle, compassionate and nice about how we document this but it doesn’t change the reality that human designers, architects, engineers, developers and users bring with them some of the most exploited weaknesses.
Security struggles with problems from this vector because the solutions cannot be automated with software. Changing human behavior requires motivation/investment of the individuals coupled with an increase in both knowledge (what CAN I do?) and understanding (HOW do I do that and what happens when I do it?).
There aren’t many programs out there nor many templates for how to do this. In our environment we’re establishing and developing a program for scaling this knowledge and understanding out through a team of trained advocates. We aren’t asking these people to have any conversations they aren’t already having. We’re not asking them to make a 30 minute presentation nor to argue with project members. We just want to inform them of the importance of security principles and arm them with understanding of the value of apply this knowledge. These advocates are already in discussions with their architects, engineers, developers, project leaders, business owners and users. They’re already considering how to deliver on the business’ functional requirements (I need to be able to update the payout to that customer, I should be able to delete duplicates, etc). We want to elevate both the expectation that non-functional requirements such as privacy, compliance and risk management are included in those conversations and then empower people with knowledge and understanding of what they can do, how to do it and what the implications are.
We’re doing scheduling road shows within the enterprise and looking for opportunities to present our efforts to the security and risk management community at large.
Scaling Security – Better Business Decisions, Faster