I was always fascinated by the complexity of the technology discipline. The truth is, it’s very broad. ISACA helps to define some of the career pathways for young professionals through its educational resources and certification program. This made me think about where I saw myself adding value to the industry.
I come from a technical background but, after just a few years in the industry, I quickly realized that not all the problems could be solved through technology. I decided to learn more about information security management, culture and usability while studying for my MSc in Information Security. I also started attending local ISACA chapter events to learn from the practitioners in the field. The talks, conferences and networking opportunities I’ve been exposed to through these events (ISACA provides generous discounts for students) at an early stage helped me to narrow the focus of the research I was conducting for my postgraduate degree.
I wanted to understand the human element of security better and ended up writing my thesis on modeling conflicts between security compliance and human behavior. This involved working with people to understand root causes of poor security culture in organizations. I had an opportunity to present my findings to the ISACA community at a London chapter event and gather valuable inputs to refine my research. This laid the foundation for my book, “The Psychology of Information Security.”
Throughout my consulting career, working across various industries, I’ve seen some badly implemented security projects that completely missed the point. A lot of them didn’t have business objectives, and more importantly, people in mind. The truth is, the majority of employees within an organization are hired to deliver specific results or perform activities like marketing, managing projects, goods manufacturing and so on. Their main – sometimes only – priority will be to efficiently complete their core business activity, so information security will usually only be a secondary consideration.
Therefore, managing change and organizational culture should start with understanding your company, people in your company and what drives them. In the case of security, understanding motivation begins with understating why people don’t comply with information security policies.
I wrote this book to help security professionals and people who are interested in becoming one to do their job better. I believe that they not only need to ensure that a company is adequately addressing information security risks, but they also have to communicate the value of security appropriately in order to be successful. The main aim of the book is to gain insight into information security issues related to human behavior from both end-users’ and security professionals’ perspectives. It provides a set of recommendations to support the security professionals’ decision-making process when implementing controls and communicating these changes within an organization.
I conducted a number of interviews with security leaders from various sectors, including financial services, advertising, media, energy and technology, some of whom I met through my ISACA network. Their views, along with further relevant research, were incorporated into the book in order to provide a holistic overview of the problem and propose a solution. The feedback I’ve received from the community so far has been very positive, and I’m glad I have an opportunity to help people address some of the challenges they face in this area.
On a personal note, the project reinforced the value of connecting with professional networks – such as the one provided by ISACA – early in one’s career.
About the author: Leron Zinatullin (@le_rond) is an experienced risk consultant, specializing in cybersecurity strategy, management and delivery. He has led large scale, global, high value security transformation projects with a view to improving cost performance and supporting business strategy. He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors. Visit Leron’s blog here: https://zinatullin.com/. To find out more about the psychology behind information security, read Leron’s book, The Psychology of Information Security.
Editor’s note: For more resources on harnessing the power of networking early in your career, visit www.isaca.org/membership