I Dream of Security
I should be careful – I’m going to give myself Blogger’s Wrist if I keep posting. However it seems like the issue of digital security is a vital one for the entire humanitarian community right now, in a variety of ways. Obviously security needs to be a consideration across the entire organisation, and there’s been significant improvements on that front in the last few years (the tragedy is that it took Iraq to bring the message home).
Digital security, though - we’re behind the curve. Most security officers don’t know enough about technology, and most IT staff don’t know enough about security. When I wrote the initial post yesterday, I was scratching my head for practical steps that organisations can take – there are a lot of things that we can do, but where should we start?
Luckily Bruce Schneier‘s article in Wired this week, Inside the Twisted Mind of a Security Professional, is absolutely right – we start by thinking differently about the world.
Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities…
This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.
This points to the reason why most UN or NGO staff make such terrible security officers – project staff in those organisations are generally problem-solvers, sent in to a situation to fix something that’s not working properly. Security awareness training is critical for these staff, particularly as part of their induction, but you can’t expect them to change their orientation entirely.
More pertinently for us, this is also the reason why neither IT or security staff should be solely responsible for IT security – it takes both side of the fail / fix equation to build resilient IT infrastructure. So: the first practical step that you can take is to bring those two groups within your organisation closer together, so that they can bounce problems and solutions off each other. It’s that simple.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}