Security Awareness for the Rest of the Year

October is behind us, a big month for national security awareness campaigns across several countries. For many, campaigns like this offer the only security training people get during the entire year. But a campaign oriented approach like this has also a few limitations. You simply cannot frame all your company’s security training needs within one month. Campaigns cannot be arranged for each and every other month either. So, what should you do when October ends?

It’s not just about the awareness of others, but your own awareness of people and security is key to getting them aligned.

Continue reading “Security Awareness for the Rest of the Year”

People + Policy + Products = Secure Practice

A famous thought leader in security, Bruce Schneier, popularised the term «people, process and technology» back in 1999. Our security strategy must cover all three areas, and this holds more true than ever. Technology still gets the most attention, and we still need to advance the people formula. I believe cyber security needs more empathy.

Secure practice is established through awareness, culture and good user experiences.

Continue reading “People + Policy + Products = Secure Practice”

Four Steps to Have Employees Report Security Incidents (And Save the Day)

Some insist on the contrary, but any of your colleagues can be a valuable contributor to your company’s security efforts. An example is when you do not have systems, rules or training to cover an unforeseen event, but people improvise to stay both as productive and secure as possible. Risk-based trade-offs like this happen a lot – although people will not necessarily tell you when it happens – but that’s how business gets done. Another example is when people report incidents (or potential ones), allowing your organisation to improve and become more resilient to cyber-attacks.

Reporting security incidents should never get yourself or colleagues into trouble. Instead, it allows for specialists to handle the situation, and for the organisation to learn.

Continue reading “Four Steps to Have Employees Report Security Incidents (And Save the Day)”

When Security Controls Give Less Control

Security risks in our organisation are usually risks we want to treat. To achieve this, security professionals turn to implementing so-called controls. This is a word loaded with promise. Of course we want control, especially with the growing amount of cyber uncertainty. But do the techniques we use for controlling risk necessarily result in actual control?

Competent people are needed to reap the benefits of technical controls.

Continue reading “When Security Controls Give Less Control”

Nobody Is Really Against Security

Anyone can relate to an e-mail they got, that seemed a bit suspicious. Or to seeing a Facebook campaign that seemed too good to be true. Security is not something special that matters only for a few people. According to a recent online survey of American adults, 39% said they would sacrifice sex for one year if it meant they never had to worry about being hacked.

A general risk analysis would usually put people “up there”, in terms of damage potential and probability for incidents.

Continue reading “Nobody Is Really Against Security”