The Lessons from Information Security
"It’s easy to secure things if you’re willing to make it hard for people to get their tasks done. Beauty, or I’d use the term elegance is when there is materially improved security with minimal impact or visibility to people." - Grant Kaufmann
Grant Kaufmann is one of the smartest and most interesting people I know. I asked him 6 questions about information security and how the principles from infosec can be used in other areas, in a multidisciplinary manner. You can connect with Grant here.
1. What do you consider ‘beauty’ in your field of work?
It’s easy to secure things if you’re willing to make it hard for people to get their tasks done. Beauty, or I’d use the term elegance is when there is materially improved security with minimal impact or visibility to people.
2. What life lessons have you learned from Information Security?
It’s always about the people.
It's common in the broader industry to see the people as the problem and the technology as the solution. But not in a way that respects them and appreciates inherent human frailty. So the industry pushes products and solutions that may improve security, but offload the effort onto people with tasks they are ill-equipped to perform. What I've learned is that we should meet people where they are. As a wonderful person I worked with said - "we need to work with the people we have, not the people we want". This is not a slight on our coworkers, rather it's a recognition that everyone is going through their own lived experience and our job is to make that better.
3. What are the main principles of Information Security and how can they be applied to other fields?
Information security should be mostly invisible to people. This probably applies to much of design.
Don’t expect people to do things that they’re not capable of and get angry when they fail. An example of this is “Don’t click on a suspicious email”
It's not difficult for most people to identify a malicious email link, it's impossible. It's the job of the technology to hugely reduce the likelihood of someone receiving a malicious link and then if they do click it, to mitigate any impact. The language where people are blamed for this reminds me of "identity theft" where the victim is blamed and assigned responsibility where it's the bank who's failed to perform effective identity verification and should take all the blame.
4. What small things make a big difference in Information Security?
Good design makes everything much easier. Retrofitting is either very difficult, expensive or less effective.
5. What is the biggest misconception or the biggest mistake that people make about Information Security?
If you’re in a big company, the misconception is that Infosec is about saying no. It’s about saying how can we get a better business outcome with better security with minimal inconvenience and cost.
6. Which single concept from Information Security deserves to be more widely known?
Consider the threats before deciding on a course of action.