Perfection and the Human Element

"All of life is the management of risk, not its elimination." — Walter Wriston

First: There is no such thing as a perfect security environment. No matter what steps you take to protect your business’ information, there will always be some degree of risk that the information will be accessed by unauthorized individuals, lost, or rendered unreliable. Information security is fundamentally dependent on human beings to program, configure, implement, design, monitor and test security systems. Humans are inherently imperfect. Do not deceive yourself into thinking that by implementing security technology you will have solved all your problems. Hence, there will always be risk.

Second: You will always be faced with limited resources. If you can not guarantee your manager that you can implement a perfect security environment, your manager will not be willing to give you an unlimited budget (assuming in the current economic and business environment that your manager even believes that information security is worth funding). The challenge is to determine the appropriate balance between the need to reduce risk to an acceptable level and the resources required to attain that level of comfort. In the past, business managers made these balancing decisions on imprecise and subjective criteria, decisions based more on the prior experience of the manager than on any objective set of tools. In an environment of ever increasing threats and vulnerabilities, it is imperative that we adopt objective, repeatable processes that can accurately determine the risk.

If you are to roll out a security system or process that effectively addresses the needs of your business, you will need to take the human element into account. You will need to properly train employees in using the system, enlist their support in maintaining it, provide monitoring procedures to ensure the system continues to function properly and be willing to create a program of continuous improvement to address the inevitable failures. Even after you have taken all these precautions, the imperfection of the human condition will still guarantee that your employees or vendors will make mistakes. That is when you will need to consider deploying redundant controls, controls based on the concept that if and when a mistake is made a secondary control should be able to minimize its impact.

©2009 ISRMC, LLC