Human resources are your strongest asset but can also be your weakest link. Whether you’re defending against growing human factor threats, building your “zero-trust” model or just meeting your compliance guidelines, companies often recognize the importance of People, Process & Technology but struggle to integrate them into a unified strategic plan.
It's important to first re-discover your workforce and all the users in your distributed IT eco-system. Identify their roles, compliance requirements, applications, devices and normal workplace behaviors. Do this before embarking on your next security and training implementation. It’s also critically important to include your workforce as partners in cybersecurity defense and mitigating human factor threats.
This may sound simple but is very challenging for most organizations. The workforce, its applications and the devices it uses are increasingly distributed and siloed. Human resources departments collect general information about employees, sales work with partners and customers, program managers track programs and their applications and IT managers maintain networks, technology and tools.
Add to this digital transformation and a mixed patchwork of on-premise, cloud applications and self-service automation tools. Organizations must account for a mix of corporate and personal user devices (BYOD). We end up with a myriad of endpoints to be managed and lack of a comprehensive process to integrate and manage this user and asset information. All this lowers human-factor controls, increases risk and creates administration chaos.
Meanwhile, popular IT Security marketing hype is screaming “Human Factor Threats” and "Zero-Trust". This can inadvertently demonize people and hurt workforce morale. It makes it harder to change behaviors and creates an environment where people are less likely to report a security issue, a mistake, a suspected privacy breach or suspicious behavior.
Factors that Impact Human Factor Security
- The workforce is becoming increasingly distributed - its common to have a mix of employees, contractors, partners, offs-shore support, distributed development and collaboration;
- Organizations lack a holistic understanding and centralized tracking of user application and access needs, devices and their behaviors across the distributed workforce;
- Many organizations lack a team or program manager with full visibility of IT user needs, applications and behaviors;
- IT and EA governance frameworks that address similar topics are cumbersome; while they check a compliance box, they are often not practical for small and medium sized organizations and seldom implemented in full or applied tactically day-to-day and users are rarely trained on our IT and security policies;
- Technology and tools used by organizations are changing at a rapid rate. Education and assessment must keep pace; it must be relevant to user roles and continuously tracked as required in security frameworks such as NIST and ISO 27000. The tools should be available on-line to a ubiquitous and global eco-system of workforce, partners and customers;
- Organizations may have a toolbox full of various security and training tools but how well are they utilized or integrated? Underutilization, overlap and failure to measure the effectiveness of existing security tools are common problems.
It’s time for a more holistic model for IT human-factor management. At Potentia Concepts we call this Human-Factor Controls & Enablement (HFCE). HFCE starts with user discovery, assessment and planning ahead of technical tools and training implementation. It includes the selection of user security tools that make system authentications strong, simple and easy to manage. It applies least privilege principles for admins and users. It requires someone at the helm to manage coordination, training, tracking results and building a cyclical process and feedback loop. All this results in reduced cyber risk, greater compliance, faster implementations, lower support costs and a happier workforce.
Things to Consider Starting a Human Factor Control & Enablement Program
- Create a program and obtain buy-in from executives, CIO, CISO and your HR department. Include your workforce in the program. Report progress periodically back to your executive charter team;
- Assign a dedicated program manager or member of your project management office (PMO) to manage your Human-Factor Controls & Enablement program; build a matrix core team and include your training team;
- Conduct an internal audit of your user eco-system including workforce and partners. This includes applications, access needs, devices and standard behaviors. This may take a few months depending on your organization size and IT maturity level and will be an ongoing process;
- Work with your CIO and CISO to understand existing user-oriented security technology used by the organization and jointly determine potential gaps, planned projects and budgets. Create a plan to engage vendors for research and testing. Make sure your business requirements drive your technology decisions;
- Ensure that the program is cyclical. Program evolution may involve your customers or other stakeholders. Plan for quarterly progress reviews, reports to your executives and steering committee and tune-up the program.
The road to Human Factor Control & Enablement will not be easy but is a worthwhile journey for your organization. Get started today, be patient to progress over time and the rewards will be there.
Adam Hoey CEO – Founder | Potentia Concepts