The Security Company – a consultancy for corporate security and compliance awareness – is all about people. In fact, Smith insists that he does all he can, including hiring non-technical staff, to distance his company from technology. While he is insistent that the people problem is the missing piece in the information security puzzle for many organizations, he reluctantly admits, frustrated, that people don’t want to spend money on it.
“Suppliers want to sell boxes, and companies want to buy them”, he says. “When we look at what’s actually going wrong though, we see that it’s almost never technology. Computers don’t make mistakes, people do.”
Je Ne Comprends Pas
Smith believes that like health and safety, training and awareness needs to be embedded into a company’s culture. “No-one is telling their staff what to do. If you offer help, people will take it”, he says. Measuring progress and changes in behavior is crucial, says Smith, whose company offers a three to five year contract. “Everything we do is measurable”, he explains.
For every one customer that The Security Company has (and it has a pretty impressive array), Smith predicts that there are at least another 99 that need help in this area. “Some just do compliance, some do home-made awareness efforts”, he says, noting the inadequacy of both. But it’s not just organizations that “don’t get it”, he says. “The [information security] industry doesn’t get it. They try and solve all problems with technology”, he sighs.
Ideally, the industry needs to work together in order to focus on prevention, Smith insists, declaring technology vendors as “not mature enough to realize this”. Similarly, end users “don’t value the human factor and aren’t willing to invest in it. They may take a look at what we do, and try to do it themselves – badly”.
The Highway Code
Smith is not a believer in using policies as the base of a security mandate. What is needed, he explains, “is a highway code”, or more specifically, as labeled by The Security Company, a “knowledge zone”. This knowledge zone, accessible to employees, “covers every eventuality. It offers advice and the Highway Code for the organization. It’s essential and it needs to be learned”, he insists.
The knowledge zone also allows employees to report problems, suspicions, and seek advice. It is monitored by the security department.
Speaking of which, Smith claims that an organization’s security department should be the size of your entire organization. “That’s right, each and every person should be a part of your security department”. Treating your users like intelligent adults will certainly encourage them to act like it, Smith believes.
For People, About People
Outside of his day job, Martin Smith is the chairman and founder of the Security Awareness Special Interest Group (SASIG) and an active member of the Information Security Awareness Forum (The ISAF). “SASIG is unique. It’s a free networking education forum that exists only for the delegates and does not exist to make money”, explains Smith.
The relationship between SASIG and The Security Company is simple, says Smith. “They are one and the same thing. They both promote a cause”. The benefit of SASIG for its sister company, The Security Company, he says, is “that it starts conversations -gets leads. You can’t get someone to buy something until they become interested in the idea/concept”.
The hardest sell for companies like The Security Company that focus on awareness and education, is that “we are selling what people need, not what they want”, says Smith. “I find it offensive that senior people don’t address this aspect of security. It is absolutely vital for a CSO to look at all aspects of security”, Smith concludes.