Description
Security and first-person shooter video games have one obvious thing in common: if you’re not continuously moving, you’re dead. In this second edition of Managing Risk and Information Security , Malcolm Harkins helps us move our thinking into areas of risk that have become more prominent over the last several years.
Because there is so much new content in this edition, I will focus on a topic that has risen to greater prominence since the first edition: people are the perimeter. When we reflect on what has changed in recent years, with an eye to the vulnerabilities that result in real-world compromises, a pattern emerges: virtually all the major breaches that we have seen involve manipulation of people. When nearly everyone has heard of phishing, we have to ask ourselves: why is it still such an effective tool?
The obvious theory is that we haven’t managed people risk as well as we should. Perhaps we have been standing still and need to learn how to dodge and experiment with the way we drive better people-security outcomes. Unfortunately, the path is not 100% clear. Unlike technology, the field of influencing human behavior in security is remarkably complicated and supported by limited research.
Malcolm provides us with a great foundation and framework to build our “security engagement” functions. I like to use the word “engagement” because it speaks to how the security organization relates to the workforce in a manner that isn’t simply bounded by the more traditional term “training and awareness.” Engagement encompasses anything that shifts the desired behavior outcome in the direction we want it to go. I have seen remarkable shifts in measured behavior from the use of non-traditional tools such as security gamification and simulation.
The way Malcolm differentiates between “compliance” and “commitment” is key. Managing Risk and Information Security is an ever-evolving classic in the field of security management.
—Patrick Heim
Head of Trust & Security, Dropbox