Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Here is my Fortune Cookie advice for November:
When it comes to employees and how securely they use their system, "trust, but verify".
We give them tools, harden their software, teach them good security practices, and reward them for safe behaviors. But end users may still cause great harm to their computers and more severely, the organizations data, systems, and operations. Trust must exist, but every security pro worth his salt, is paranoid with good reason.
It is not practical to wall out our own users. Some level of trust must exist. I believe the right balance for most organizations which maintain mature foundational controls, is to “trust, but verify”.
Made famous by former US President, Ronald Reagan, this quote was applied to situations where another party possesses the capability to do harm but agrees to refrain, for the greater good. Trust they will act appropriately, but maintain diligence to validate.
In the information security world, we too can strike the balance of security and functionality by allowing end users access to do their work effectively, while maintaining verification controls to insure they are not causing themselves or others unacceptable harm. This is no substitute to good training, security awareness, security tools, etc. as part of preventing undesirable events. But detection capabilities are a key element to a good defense in depth security program, which can allow more of a tradeoff between risk and productivity.
So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.