Those in IT and security sometimes take for granted the average person’s internet behaviours and how they can impact overall business risk. Likewise, the average user doesn’t always realise just how much the little things they do, or don’t do, can add up and contribute to an organisation’s overall level of IT-related risk. That’s why we need to do what we can to impart our knowledge to users in positive ways so they can become part of the solution rather than remaining part of the problem.
Many IT and security professionals pride themselves on their complexity, portraying a situation in which computer security is an art that only those working in the field truly understand. Yet this really is not the case – almost everything related to security is painfully simple. We all make choices on a day-to-day basis that do one of two things: They either bring us closer to a secure and resilient state or push us away from those goals.
Skills training must take place consistently
Regardless of how well-documented your policies are or how intelligent you think your users are, you can never assume that people will know what to do when an incident occurs, nor can you be sure they’ll always make good decisions. That’s why cyber security skills training must be conducted over and over again.
Real security change is often brought about by an outside impetus. If we keep doing what we’ve always done, we’ll keep getting the same results. It’s on all of us, not just IT and security professionals, but employees, executive management and everyone in between – to ensure that our day-to-day behaviours are not creating barriers to better security.
It’s critical for organisations to have everyone connecting the dots and following the concept of relentless incrementalism – a little bit every day, time and again. That means getting more information, getting better information and sharing wisdom when it should be shared. Never assume or taking things for granted.
Source: IBM Security