Skip to content

Cyber security for staff: skills vs rules

Opinion

08:00 Tuesday, 26 October 2021

UK Cyber Security Council

Most organisations’ cyber security regimes have loads of rules. We call them policies, controls or directives but they’re all the same thing: rules. And we can usually be disciplined – fired, even – for failing to follow those rules.

But is this the right way to behave? If we have a bunch of rules that we teach people to follow like sheep, we are basically getting them out of the habit of thinking. And this is a very poor state of affairs – it means that the only people putting any constructive thought into security are the people writing the rules. And nine times out of ten they are so detached from the day-to-day running of the business that the rules turn out to be impractical at worst, slightly inconvenient at best.

Am I saying that we should tell people they can disregard the rules? No, not in the slightest: I’m still going to wheel you to HR if you disclose your password to a colleague. What I am saying, though, is that just because a rule is in place, this doesn’t mean you can’t question it. In fact, I encourage people to do so.

The reason is simple: if a rule is sensible, I will be able to justify its existence very easily. For example, if you ask me why you can’t tell someone your password, I’ll explain that as a regulated organisation it’s a specific requirement from our regulator, and go on to point out that in a personal sense, if someone commits a fraud with your user ID, it’s going to be awkward for you and harder to investigate. But if you challenge a rule and I can’t find a coherent reason for its existence, this is an opportunity to change (or even remove) that rule and most likely make people’s lives easier.

So yes, we need rules. And we need to abide by them. But we also need people who think, and who challenge those rules – because the only possible outcome is that the overall rule set improves constantly over time.