When I look at the way security is treated in a lot of companies, I see two fundamental challenges:
- Security is seen as a compliance function only. In other words, security people tend to hide behind policies. This is fairly simple for us, isn’t it? We can take the policy and tell somebody to follow it because it is written in there â€“ no responsibility to be taken. Unfortunately we ignore the fact that a policy was written by people and can be changed by people. Additionally it might make sense from time to time to think about adopting the policy to fulfill the needs of the business (and help to secure the assets obviously).
- The human factor is ignored. Well, a lot of people talk about “the only secure way is the simple way” etc. But do we really live this approach? Really? I guess not. Let me give an example. When was the last time, you took the time to read a 20 page manual? I rarely do. But then we write policies, which consist of dozens of pages writhen in legal language â€“ and then we expect our users to read, understand and follow them because we say so. Doesn’t work.
We need to change. We need to put humans in the center of our thoughts. We, at Swisscom have a team called Human Centered Design. These are the people who help to design our shops, our products. Who help to increase the user experience you have when you interact with us. When I got my first free FTE, we started to hire a person in that team to support us with these approaches. Let’s design a security, where the customer experience rocks. Where people like to interact with security, where they see security as an asset, a help instead of a burden.
Don’t get me wrong. We need the policies, we will do governance and we have to punish people if they think they can violate the policies. But on the other hand, I am deeply convinced that the only way to make “real” security happen is to help the users who want to do their job in the right way (98% of our staff) to do it in a simple way.
Could you imagine, project managers coming to the CSO to tell them that they enjoy working with your team? Project managers telling you that they could never be as successful as they are currently without the help of the security team? Guess what: This happens to me. It is initially all about the mindset. A mindset of putting your customer (and it might well be your internal customer) at the center. And then it is about changing the user experience.
In both areas, I know that we still have a long way to go but I am absolutely convinced that we must change security in this way.