It's time for another of my motorbike analogies... This time on the topic of IT Security.
In a car, it's all about secondary safety - when you've had an accident, the metal cage, the seat-belts and the air-bag are all there to keep you safe. The car has become responsible for your safety. In contrast, when you learn to ride a motorbike, the instructors are at pains to tell you that keeping safe on a motorbike is all about primary safety: Don't have the accident in the first place. In other words, nothing else is going to take ownership of your safety, it's in your hands and your hands alone.
I strongly believe that IT Security needs to be like motorbike safety: Do everything you can to ensure that the incident doesn't happen in the first place. The question is, how do you get primary safety in the workplace rather than needing to rely solely on secondary safety?
I think it's simple: Primary Safety is about process, policy and training. Above all though it's about treating your employees like adults, giving them a sense of their own responsibility to keep the company safe and giving them the tools to enable them to have that responsibility. I'm not advocating removing secondary safety services, but if someone has no responsibility then they don't care about it because it's someone else's responsibility if things go wrong, not theirs and the risk of an incident is thus higher.
Investing in primary safety, giving people that responsibility and the tools to enable that responsibility will greatly reduce the likelihood of an incident happening in the first place.
If you want a non-motorbike analogy for this, there's clear evidence* of this on Kensington High Street in London. The council decided to remove all street furniture, place the bicycle bays in the middle of the street and take away all the railings. Madness you say, all that safety equipment gone, accidents will go up! No, not at all. Because pedestrians were handed back responsibility for their own safety, they were more careful and accidents involving pedestrians dropped by 44% over 2 years (the London average in comparison was a 17% drop).
The good news is that both IT Security and old-fashioned physical security are evolving fast and we're quickly getting to the stage where employees can be involvement in their own on-line safety. Over the next year or so, I think we'll see a dramatic change away from a policed security model to a community owned security model and as a result there'll be fewer incidents and people will enjoy a better working environment.
Here's to Primary safety!
*Look 2/3 the way down the article.
In a car, it's all about secondary safety - when you've had an accident, the metal cage, the seat-belts and the air-bag are all there to keep you safe. The car has become responsible for your safety. In contrast, when you learn to ride a motorbike, the instructors are at pains to tell you that keeping safe on a motorbike is all about primary safety: Don't have the accident in the first place. In other words, nothing else is going to take ownership of your safety, it's in your hands and your hands alone.
I strongly believe that IT Security needs to be like motorbike safety: Do everything you can to ensure that the incident doesn't happen in the first place. The question is, how do you get primary safety in the workplace rather than needing to rely solely on secondary safety?
I think it's simple: Primary Safety is about process, policy and training. Above all though it's about treating your employees like adults, giving them a sense of their own responsibility to keep the company safe and giving them the tools to enable them to have that responsibility. I'm not advocating removing secondary safety services, but if someone has no responsibility then they don't care about it because it's someone else's responsibility if things go wrong, not theirs and the risk of an incident is thus higher.
Investing in primary safety, giving people that responsibility and the tools to enable that responsibility will greatly reduce the likelihood of an incident happening in the first place.
If you want a non-motorbike analogy for this, there's clear evidence* of this on Kensington High Street in London. The council decided to remove all street furniture, place the bicycle bays in the middle of the street and take away all the railings. Madness you say, all that safety equipment gone, accidents will go up! No, not at all. Because pedestrians were handed back responsibility for their own safety, they were more careful and accidents involving pedestrians dropped by 44% over 2 years (the London average in comparison was a 17% drop).
The good news is that both IT Security and old-fashioned physical security are evolving fast and we're quickly getting to the stage where employees can be involvement in their own on-line safety. Over the next year or so, I think we'll see a dramatic change away from a policed security model to a community owned security model and as a result there'll be fewer incidents and people will enjoy a better working environment.
Here's to Primary safety!
*Look 2/3 the way down the article.
