Welcome to the [Liberate|Manumit|Absolve] Security Blog

Blog Entry 1: Setup for Success?

This morning I was reading The Role of Human Error in Successful Security Attacks as part of doing research on the impact of social engineering. As I read it, I found myself feeling empathy for the employees who are the targets of such attacks. For example, "These tools can also prevent users from engaging in inappropriate behavior, such as sending documents home via email or placing them on file-sharing sites or removable media such as USB sticks. " I can just see an employee sitting at their desktop at work, realizing that they have to go pick up their son from daycare right now, but their project is due tomorrow. Of course they are going to take it home via personal email or USB stick if that's the only way they can work on it from home. You can't leave a small child home sleeping while you go back to work, and missing the deadline could have significant career consequences.
Being in the field for many years now, I often see us security experts espousing guidance that makes running the business difficult. Certainly some tradeoffs are necessary, but people will work around any security boundary that makes it hard or impossible to do their job. We hire amazing scientists, recruiters, engineers, marketing professionals and the like, and then suddenly expect them to be security experts and produce results in the same time frames and at the same quality levels even as we put security hurdles in their way.
Is there a way to enable our people to focus on doing what they are amazing at, without unacceptable security risks? Can we make doing the secure thing the path of least resistance? In this blog I'll be exploring common social engineering issues, and ways we might alter the system to increase protection without impeding the business.


Blog Entry 1: Setup for Success?
	This morning I was reading The Role of Human Error in Successful Security Attacks as part of doing research on the impact of social engineering. As I read it, I found myself feeling empathy for the employees who are the targets of such attacks. For example, "These tools can also prevent users from engaging in inappropriate behavior, such as sending documents home via email or placing them on file-sharing sites or removable media such as USB sticks. " I can just see an employee sitting at their desktop at work, realizing that they have to go pick up their son from daycare right now, but their project is due tomorrow. Of course they are going to take it home via personal email or USB stick if that's the only way they can work on it from home. You can't leave a small child home sleeping while you go back to work, and missing the deadline could have significant career consequences. Being in the field for many years now, I often see us security experts espousing guidance that makes running the business difficult. Certainly some tradeoffs are necessary, but people will work around any security boundary that makes it hard or impossible to do their job. We hire amazing scientists, recruiters, engineers, marketing professionals and the like, and then suddenly expect them to be security experts and produce results in the same time frames and at the same quality levels even as we put security hurdles in their way. Is there a way to enable our people to focus on doing what they are amazing at, without unacceptable security risks? Can we make doing the secure thing the path of least resistance? In this blog I'll be exploring common social engineering issues, and ways we might alter the system to increase protection without impeding the business.