Seems like a simple concept. Of all the things that impact security the most, and specifically network security, it really all comes down to the human element. We can, technically speaking, “lock down” the network to be as tight as can be. But, without people buying into the concept of security, it will compromised. Simply put - security starts with you. And the who that you are (within the organization) seriously goes to the impact you ultimately have on your business’ network security.
Everyone starts the security conversation around solutions and, therefore, around technology. “We need a penetration test. We need to tighten up our security. We need to understand our risk from outside intrusions. We need to lock things down.” And on and on and on. Rarely does the discussion revolve around the social aspect – ie: the people, policies, and culture. That’s right – culture. What the leaderships says and does when it comes to security sets the tone for the entire organization. You can tell how important security really is to a business based on how much it is integrated into the day to day policies and procedures of how it operates, how it’s staff views it and adheres to the set policies, and quite frankly how much it spends on it. It’s no longer ok to just say, “it’s the IT guy’s responsibility”. This is beyond oversimplifying things.
Keep in mind, the concept of security is not one time thing. It’s not that demarcation in time of when your system is secure vs. before when it wasn’t. Security is a continuous, ongoing effort. So, how can you not include your people in the conversation?
You can break down security into the following core components: those things you can do with/to your systems (ie: technical) and those things that your people can do (ie: policies, procedures, and culture). The tightest systems in the world still have all those unknowns that human beings bring to the table. Do they follow the procedures? Do they believe in them? Do they understand the technical aspects behind them? Beyond just understanding and believing in the policies, there’s a certain level of technical knowledge a computer user needs to have these days to operate in this dangerous landscape we work in. For example, phishing, malware, and data leakage are just a few of the topics most users need to have a basic understanding of so that they’re NOT the ones letting external intrusion in (and letting your information out).
What does this mean? Well, if you’re truly interested in securing your information you need to invest in your people as well as your systems. And plan on this being an ongoing exercise. Remember – security starts with you. And that “you” is EVERYONE in your organization.