Honest Security is an approach designed to help organizations achieve two distinct goals: educating employees about security, and dramatically improving adherence to the security team’s recommendations and compliance objectives.
In your organization, your team might employ tools and programs with the same goals in mind. Perhaps your organization even lists honesty, transparency, and ownership as its company values. On the education side, there are many products that allow you to create interactive training modules for employees. Despite their incredible graphics and engaging voice acting (not), these programs fail to deliver the information when it’s most beneficial for the trainee to hear it, at the point of performance. Other educational tools like the ones used to train people to identify phishing emails do deliver the training at the point of performance (right after the user is fooled by a phish) but can only do this by expending considerable effort attempting to fool, entrap, and subsequently humiliate their potential students into demonstrating their lack of knowledge. That’s not a great way to build up a working relationship.
On the compliance side, the existing approaches aren’t much better. Products exist which allow you, with a single click, to remotely change all the settings of a device in order to match the recommendations for a given compliance standard. Unfortunately, these tools do not consider nor care about the end-user’s experience, nor do they take into account the context of their current environment. If a compliance standard advocates that bluetooth should be disabled in high-risk situations like when the user is in public spaces or traveling, then the compliance tool’s only option is to disable the bluetooth for all devices, permanently, no exceptions. Need bluetooth for 10 minutes so you can join a conference call on your Mac with your Airpods? Too bad. That’s how the hackers get in.
Honest Security helps achieve both of these goals better than the existing approaches because it believes that communicating directly with the individual who is using a device is the key to solving these problems.
As we will see in the Honest Security for Education section of this guide, we can use honest data collection techniques to deliver contextual and personalized recommendations (not alerts or failures) to end-users at the point of performance. No humiliation is required!
In the section entitled Honest Security for Compliance, we will explore how generating predictable and proportional consequences increases the adherence to important recommendations from the security team. The techniques described in this section can even drive actions like users voluntarily opting in to managed profiles.
But before we can do either of these things, our Honest Security program needs to be able to know some things about your organization, your users, and the devices they use, and we need to obtain this knowledge honestly.