This has been a particularly exciting week for all of us here as Bruce’s book Rethinking the human factor has hit the shelves! Hard copies arrived at our offices yesterday (to much fanfare) and paperbacks and the Kindle version are available on Amazon.
It’s Bruce’s first book and the culmination of not just six years spent looking into the human element of information security but another 15 working in the industry, and all that he has learnt and seen.
Setting the scene – 10 April 2018
As Bruce was penning the first draft of the book earlier this year, Mark Zuckerberg (CEO of Facebook) was being questioned by 44 senators at the joint hearing of the Commerce and Judiciary Committees. Possibly the starkest reminder of how important information security is and that some of even the world’s most well-known companies don’t get it right. Far from it.
The book is a manifesto, inspired by Bruce’s work, to encourage anyone and everyone in infosec to address the human factor. It’s “a philosophical approach to information security awareness, behaviour and culture”, and essential reading for anyone in the sector – as well as their bosses. No one wants to have to face the Senate or a roomful of MPs asking questions.
Too long has security compliance been seen as purely an IT problem, with very little understanding of the importance of awareness, behaviour and culture, and how to leverage what we know about them to benefit an organisation’s security program.
Rethinking the Human Factor acknowledges that where there are humans there is human error and that creates vulnerabilities. We know this, hackers know this, but lots of other people don’t seem to know this. It’s only when a breach of some sort occurs that CEOs are forced to answer tough questions like Mark Zuckerberg was that day.
When questioned, they often admit they could have done more but didn’t due to cost, pragmatism or their attitude to risk.
A quick introduction to Rethinking the Human Factor Book
The book begins by explaining that the tools and strategies information experts and CISOs have at their disposal are still relevant and useful, but they’re not a complete solution. What’s needed are simpler solutions that embed security culture into an organisation’s culture, rather than seeing it and treating it as a separate entity.
Focusing on technology leads to having teams with skills and areas of expertise that neglect the human factor. To create more effective solutions, we need people who understand why the present solutions haven’t been able to change people’s behaviour and the success of programs.
That means learning from our friends and experts at the cutting edge of a range of different disciplines, from neuroscience, behavioural science and economics, to psychology and semiotics. Then applying that to communications and re-designing policies, processes and procedures to create the changes needed in awareness, behaviour and culture.
Reviews of the Rethinking the Human Factor Book
It’s already had some brilliant feedback:
“In this evolving industry, it’s both refreshing and reassuring to find people like Bruce leading the charge on researching fields outside of our own to better shape how we influence security culture and behaviour.
Keeping a wider perspective and the end goal of positive security culture change in mind only serves to benefit us, and this book is the perfect combination of easily digestible reflection, information and valuable recommendations and actions for senior leaders, CISOs, CIOs and security awareness professionals alike.”
Louise Cockburn – Education & Awareness Manager, Burberry
“An insightful and highly informative read for security practitioners, business leaders, psychologists and behavioural scientists alike.
Re-Thinking the Human Factor explores more than just cybersecurity, it delves into the behavioural and cultural aspects of building, influencing and managing meaningful messages.
Highly recommended A*!”
Inderpal Dhami, IBM Security
“In this book, Bruce makes security personal and highlights the human factor element that runs through everything we do as security professionals, whether we acknowledge it or not.
The book demonstrates how important is to listen rather than just broadcast, and to think about not just WHAT we want to say but HOW we should say it. And why we need to resist the temptation to just fall back on technology measures or let user awareness become a compliance box-ticking exercise.
Bruce shows us how, as security professionals, we can up our game and get better results for the organisations that hire us. He explores many areas of interpersonal communication to create a clear understanding of why these play such a vital part in grabbing the attention of the audience. He succinctly explains how we can make the rules easy to understand – and act on – and establishing the part everyone must play to make it work.
I thoroughly enjoyed reading this book and, although I like to think of myself as having a pragmatic and empathetic approach to infosec, there is always more to learn and I have certainly come away with some more ideas of how to communicate more effectively, change behaviours and nurture a good culture of security.”
Matt Gordon-Smith – CISO, Anglo American
You can get your hands on a copy here (takes you to Amazon).