People-orientation in Information Security

Ramón Serres,CISO(Pharmaceuticals), Almirall

Ramón Serres,CISO(Pharmaceuticals), Almirall

Too much talk on technology and even processes, and little on people. The people dimension is often underestimated in the information security domain. But what is the people dimension all about?

In the classic operating model based on (A) Technology, (B) Processes and Procedures, and (C) People, it is the latter one which is normally left with less relevance when weshould be better off doing it the other way round. This is probably because most professional profiles in cyber-security have a technological background.

Needless to say, technology is getting the utmost attention everywhere, as if it isthe one and only challenge. Discussions on its features and limitations are everywhere, and this may determine their fit to each organization. At the same time, budget isalso a key decision driver. But technology isn’t by far, the biggest challenge.

On the processes and procedures side, we often miss a proper focus on people as a prior step; therefore,policies and procedures can end up being unknown and ineffective in an organization. If policies are not properly designed, thought, and written—with people in mind—can be perfectly useless. A straight “write and publish” approach, which is unfortunately very frequent in many organizations, is clearly ineffective. Policies need to be informed, communicated, presented, even trained, and after a while, reminded, because we are all human (at least for the time being), and we tend to forget things.

Stakeholder management is another key cornerstone of this people-orientation. Understanding the various and different interests, concerns, doubts, interpretations that people may have in information security is fundamental to do a good job. The stakeholders list may go from the CEO, even board members, senior management, business directors, sales force, admin personnel, factory operators, etc., from the different and various departments of your organization. And for each of them, you need to understand their interests, concerns, and doubts.

Focus on People. You need to increase the weight you put into human interaction in all activities, from strategy definition down to operations

The first challenge is to do this properly, not just rushing to fill in a spreadsheet by ourselves, but feeding in the spreadsheet after a face-to-face dialogue. Many would rush to open an excel spreadsheet, well organized, stakeholders in a column (board members, CEO, senior management, and others), and the various topics set in columns: concerns, doubts, interests, and motivation and most importantly ensuring the “talk first” approach.

Many CISOs spend little to no time speaking to a CEO. How on earth can they do a good job? Having a proper dialogue is the way to set the “tone at the top”.Speaking to Board Members is also a real challenge. But again, they are the main stakeholders to speak about crucial concepts such as risk tolerance or risk appetite. Additionally, their input will be very valuable in writing policies. But we should not miss the other part: who are the policies written for? Our audience, our users, our personnel. Understanding them is crucial in order to ensure that a policy can be useful for them, clarifying, and helping. This is how a policy starts to be something valuable to the organization and not just a document published somewhere in the organization’s intranet.

At CEO-level and board-level, one of the most enriching conversations is discussing risk maps. It is at that moment, discussing the risk scenarios and the business impacts, where you get their valuable input, which should be determining many other decisions. Their understanding of risks, their awareness, and their vision is crucial to create a dialogue that builds a proper understanding of risks both from your side and from their side.This is about talking human interaction.

But moving further down in the organization, we have to address the personnel in general. Even standard governance frameworks invite us to explicitly consider people as a key lever. Take ISACA’s COBIT5 as an example, and you’ll see that amongst the governance enablers, there are two that encompass concepts such as people, culture, training, skills, and behaviors.

If we go from people to the rest, from people to technology, from people to policies and procedures, we’ll be much more likely to get it right. Why then are we placing so much focus on technology?In fact, as organizations are made up of people, especially if you are in a leadership position, only when you act with a clear people-oriented mindset, you increase the value that you personally deliver to your organization.

Another topic you shouldn’t forget about is personnel awareness plans, but there is an awful lot written about that. In a nutshell,if you haven’t knocked on your CEO’s door yet, do it. If you spend most of your time sitting at your desk reading emails and reports, you are missing an input that is crucial to do your job: people. Your personal value may be at stake. Increase the weight you put into human interaction in all activities, from strategy definition down to operations.