You are currently viewing A Humanistic View of Computer Security
Daniel Raúl Sachi, Director General, ROI Agile International

A Humanistic View of Computer Security

Much has been said and done about security in recent years, both physically and logically.
The appearance of threats grows exponentially and therefore, more and more powerful software takes care of the assets of companies, and more impregnable physical obstacles close the possibility that something is lost, stolen or accessed, but … is this enough?
Many argue that yes, or that if the software or hardware that protects us does not exist today, it will soon be available on the market. Others of us think that no, that the vision of the solution is not entirely correct.
Every process, system, technique, procedure or set of linked elements is just as weak as the weakest link in that chain. In the case of security, the weakest point in any chain is the intervening human being.
One might wonder if, being this the case, people cannot be controlled, and generally we would risk a positive answer. In fact, we can (and do continually) put multiple means of secure identification, traceability elements of operations on critical data, connection logs for audit, authorization levels, etc., etc., and all this gives us a sense of security extreme, invulnerable, or at least all we can afford, but … are we really as safe as we think?
The answer may not be as clear or concise, much less definitive.
Why? Because we still have a strategic element that may be weakened or may not function according to what we need, and most likely it is not fully covered by all the existing technology, and this is, the personnel who carry out actions in the environment.
In general, much of the security is thought to block external threats, to prevent malicious access, and to have control over the information or the assets of the company. We hardly find a company today where information is not its main asset.
However, what happens when the risk factor is positioned on someone who has the keys to the kingdom, that is, access to facilities, data, printers where to dump information, portable storages, and a whole range of elements that, in the wrong hands, are more than dangerous?
We racked our brains and wondered how this could happen? Can’t trust employees? Certainly yes, but only if they are considered for what they are, human beings and company capital.
From the management or high commands, a constant but subtle mistreatment, ignorance about opinions, discredit about the assertions of our people, the lack of reward (even moral) for achievements (and perhaps some punishment or no reward for bad habits and the lack of achievements, although it sounds bad to us), mistrust, the lack of formation of a solid work group, and the lack of leadership among other factors, make the person, this human being who works as a resource in our company, can fail or violate security, voluntarily or involuntarily.
On the other hand, from the orbit of the people who work for us, the feeling of not belonging to the company, of not being listened to, lack of motivation, non-shared objectives, fear of losing their job, economic shortages, the lack of vision of the future in the company and many other negative elements are realities that may be present among them.
For the first ones, where control is held by those of us who lead, the work is not easy but the path is more passable. If these things are happening to us, perhaps with outside help, and with our strong involvement and planning, we can settle or reverse them. Of course, none of this can be done alone, and it must be done in full conscience by the entire management and higher ranks.
For the others, the work is much more difficult because we have no control, and therefore, we must be measuring all the time the reaction to our actions, the results of each established condition, the changes generated in these elements from our maneuvers, and above all, the impact of our decisions.
Measuring or corroborating is not easy, because to do so requires a culture of sharing and not compartmentalizing, of strong and real values that can be felt on a daily basis, of serious, honest, clear and extreme communication that is not generated from a day to another, and above all things, of great vocation.
It is very important to consider that, if the first thing is happening, the second inevitably is also happening, with which the panorama becomes much more complicated,
because two work fronts are opened and to this is added the variable time, no minor issue in this type of scenario. We must first change our way of doing things so that instances of dialogue and common work are opened, and that, in this way, what is not under our control begins to change and to be. But this is not going to happen spontaneously and requires a lot of help.
Communicate (or hyper communicate) as much as possible, open our game, generate internal opinion groups, perhaps even generate some quality process or continuous improvement to stimulate change, and work, for example, in the adjustment of remuneration according to market and / or workload, are some first steps to attack the issue in a general way, but the richest and most productive part is going to be the one we do with each individual.
We must not forget that we deal with human beings, and that each human being has their own needs, visions of reality, feelings and opinions, therefore, there are no single, generic, or massive solutions. Each fiber must be pulsed in the correct way for things to change, straighten and produce the expected results. And we must be good players of this music.
Here, software and hardware no longer help us. Here the work is much more profound and casuistic, here the methodologies are not worth by themselves. At this point, empathy, a sense of justice, open-mindedness, active listening and a proactive attitude make for success, and each achievement will be just a specific and individual achievement, although perhaps some individual achievements will have a positive impact in the rest.
The problem is that, generally, in the branches of study based on technology, we are not prepared for this. Our variables, although they can be multiple, are always finite, while in human relationships they are infinite, and even unstable depending on the occasion, since the same person can act differently or have very dissimilar views on a problem depending on the situation, moment and changes in their own variables (family, friends, health, etc.).
It is necessary to take this issue in depth if we want a true security installed in our company, if we want to reinforce our work chain and make sure that our assets are safe. Perhaps we should change our gaze, perhaps we should at some point be less technical and more human, perhaps we should learn to relate more from the person we are rather than from the position we occupy, and also, we very likely need help for this.
Coaching activities for managers and middle managers, organizational climate reviews, internal surveys, and in general, work on excellence in the treatment of human capital in companies, are more than valid tools in the ordering and reaffirmation of the quality of our security, and as we can guess, they are more on the side of the human resources areas, than the technology area, therefore, the time has come to analyze new paths, to travel together with new travel companions.
A good way to start doing something with this is to make a list of the negative things that we see in our company related to personnel or their relationship with them, either one of those mentioned in this note or others that appear in the review.
Let’s analyze each of the negative factors found in conjunction with the human resources area (or with an external advisor on the matter) and see what is being done or can be done in the short, medium or long term, to solve them, cancel them or minimize them.
Let’s also examine the current impact of each element found, and also the cost of implementing the solutions in order to see each problem in its full magnitude.
Only after this, let’s plan together with our new partners, the actions to be developed.
Of course, there is a long way to go, and nothing can be solved with just a couple of actions, but we must be aware that, if any of the problems mentioned here is part of the reality of our company, it is time, without delay, to undertake the change…