Tackling the human problem of security

The default answer from internal IT security professionals to almost any proposal is generally "no".

Mike Burgess, Telstra CISO.

Staff try to get on with their work, having been shoehorned into an IT setup that fits their needs to a degree, but never completely. When they try to work around the impediments to successfully do their job, the 'security risk' earns them a slap on the wrist.

That’s the wrong way to implement security, according to Telstra chief information security officer Mike Burgess.

The former cyber chief for the Defence Signals Directorate set out to change the mindset within Telstra when he joined in February 2013, a mammoth task given the size of the telco and its exposure to security threats thanks to the very nature of its business.

“I am passionate about security and privacy,” Burgess said when introducing his team’s two-pronged 'discovery and influence' initiative at Telstra security operations centre.

Data analytics forms the basis of the 'discovery' capability, with the team hunting for first-seen malicious events as well as inadvertent harmful behaviour by staff.

Security should mean you say “yes, you can do it if you take certain things into consideration”, therefore being a business enabler rather than a compliance and enforcement function, Burgess said.

When inadvertent harmful behaviour is spotted, Burgess’ 'influence' team tries to resolve the matter with the person in question and come up with a sensible way to do what needs to be done. 

Punitive measures aren’t the best way to achieve a balance between security and staff being comfortable using technology, Burgess says - he dismisses having to reimage infected systems on staffers’ own time as unhelpful punishments.

“All that tech stuff isn’t necessarily going to help - a human solution that takes into account how people react, behave and think is needed too,” Burgess told iTnews.

“One problem with cyber threats is that they’re not physical in nature. Humans respond to physical threats really well, but the internet and its connections to real life started just 40 years ago and has only really come into the mainstream in the last decade."

As part of the discovery and influence strategy, Burgess’ team developed Telstra’s "five knows of cyber security” to provide an easy and accessible approach to manage cybersecurity risks:

• Know the value of your data,
• Know who has access to your data,
• Know where your data is,
• Know who is protecting your data,
• Know how well your data is protected.

Those five principles have been very successful in raising awareness at Telstra and have been adopted across the business as the framework by which the telco will review information security practices this year, Burgess says.

The biggest achievement for Burgess is that his program has engaged Telstra staff at all levels, from the executive down, and helped them feel enabled and not constrained.

“It’s a head and hearts approach to cybersecurity that’s as much a human problem as it is a technology problem,” Burgess said.

Mike Burgess' discovery and influence capability project is a finalist in the SC Benchmark Awards.

Copyright © SC Magazine, Australia