Part I
It is time to take business needs and people realizing business as the starting point for Information Security. I call this people centric Information Security. An important part of digitizing information is to do this in a secure way. During my career I have seen many changes in IT and helped organizations, with different environments, to cope with these changes. My experiences helped me create a clear vision that helps me support organizations (from large enterprises to small businesses) to get their Information Security processes on track. It enables me to put Information Security in perspective of different organizations. I can explain how Cyber Security relates to Information Security. And how both relate to IT.
Most organizations already have their Information Security processes in place. The challenge I see is that they are struggling to find a way to take the business processes they need to support into account. I am convinced that organizations now need to start aligning both types of processes in such a way they will help them reach their full potential.
How to realize people centric Information Security?
To realize Information Security in the context of any organization, it is necessary to understand how people process information in relation to their position and function. This will lead to insights regarding insecure processing of information that senior management will want to change. At the same time, it is important to realize that people are used to process information this (insecure) way. It is the way they do their job. Having senior management commitment to actively embrace Information Security is a good and important development.
Enforcing changes to realize Information Security will however introduce resistance. To successfully realize change, organizations must ensure that people are willing to adopt it. The most important way to successfully accomplish change is to explain why it is necessary, and how the people affected (in the short or long term) will benefit from it. This is difficult regarding Information Security, but it is worth it. Also, I am convinced that it will become a game changer for organizations to exceed expectations.
Why should Information Security be people centric?
The complexity of the digitized information landscape is increasing exponentially and has a growing impact on society. This means that we need to rethink the way we design our environments, with security as a component of its quality. The replacement of letters by e-mail and the registration of contact information in databases has led to companies developing systems analyzing behavior. This led to direct marketing methods tailored exactly to the needs of a specific person. This in turn led to questions about our privacy, and, in Europe, to the General Data Protection Regulation (GDPR).
Modern technologies (e.g., ChatGPT (Artificial Intelligence), Apple Vision Pro (blended Virtual and Augmented Reality) and the computing power which Quantum Computing is unleashing) will completely change the way society processes information. Organizations will easily find ways to reap advantage from these modern technologies. The difficulty lies in understanding the disadvantages they (might) bring. If you, like me, watched the ‘Black Mirror’ series, reflecting the dystopic (black) side of modern technology, you will recognize what I mean. Consequently, more law and legislation are already coming our way [footnote1]. Combined with the influence big tech has on society with its solutions (Google, TikTok, Facebook, et cetera), there is a growing governmental responsibility to help (corporate) society with clear guidance. The ban of ChatGPT in Italy, and the banning of TikTok on governmental devices in The Netherlands shows that this is already happening.
Compliance with legislation is important, the challenge is that legislation is always one step behind the current state of reality. Something has already happened. And this made governments decide to create these laws and legislations. Because of this the following is becoming more important than ever. Organizations must really understand how people are processing their information. And they need to understand this before they adopt these technologies in their daily business operations. This helps create insight in what the complications, impact and risks can be, when they use these technologies. Thus, it is important that organizations keep focus on its people and improving business processes, next to showing compliance.
Next steps in people centric Information Security
Easier said than done, you may think. In upcoming blogs, I will take you through the steps to realize this. They are about creating an integrated approach where business and people are the center for Information Security analysis and design. How to make Information Security part of Quality Management (and why this is important). And how to further embed Information Security in the processes of organizations. This is done by cooperating with adjacent business functions, like Quality Management, Risk & Compliance Management, and IT (Information Technology). In the end, all this is necessary to create an Information Security Management System. A system that makes it easier (not harder) to achieve goals and objectives.
Concluding, it is time to start combining expertise and creating a new way to implement Information Security as part of the organization; people centric Information Security. Start working on guidelines that help before the fact, in addition to using (new) law and legislation. Start adopting an Information Security Management System as part of your core (existing quality) processes and business functions. The result will be that you comply to your own security needs. And thus, more easily to both existing and new law and legislation. Information security is business as usual and your people want to work secure, because they were part of the process to get it done. Please stay tuned and read my next blogs in which I will further explain how I envision this.
Footnote 1
Examples of (upcoming) EU (European Union) regulations that EU countries need to create law and legislations for: EU Network and Information Security Directive (NIS2), EU Resilience of Critical Entities Directive (RCE), EU Cyber Resilience Act (CRA), EU Digital Operational Resilience Act (DORA), EU Directive on liability for defective products, EU Artificial Intelligence Liability Directive (AIL), EU Artificial Intelligence Act (AIA), EU Data Act (DA), EU Digital Markets Act (DMA), EU Digital Services Act (DSA), EU 5G scheme (EU5G), EU Cloud Services scheme (EUCS), EU Common Criteria scheme (EUCC).