I had an interesting insight today when meeting with a customer. We were talking about their information security challenges and she mentioned that their main concerns are what they call the “Three Rs”. Now I have to admit that this phrase had me stumped as I have never before come across the “Three Rs of information security”. My mind scrambled to think what could she have meant? Was it Risk, Respond and React? Or was it Roles, Responsibilities and Rules?
I had to admit defeat and not understanding what she meant and I asked her to explain what the three Rs were. My client smiled slyly and went on to explain what the three Rs meant. In their organisation the majority of information security incidents happen as a result of staff deliberate or accidental actions when using the information systems to either;
She went on to explain that they had a number of incidents in the past where some members of staff had robbed components from PCs and in some cases the PCs themselves. Staff had also “robbed” copyrighted material such as music and movie files and unauthorised software to install on their systems and they had to deal with those.
Some staff had ruined their systems in many cases by clicking on attachments and links in emails or by other actions contrary to the Acceptable Usage Policy.
Finally other members of staff had ‘recked (wrecked) systems by either deliberate actions due to being disgruntled or accidentally from not being trained properly.
So while it was an amusing side track to our meeting I think it does serve an important lesson to us when considering how to manage our information security. If you are a consultant advising a client don’t assume that their perspective and drivers with regards to information security are the same as yours or clients you have worked with previously. Developing an information security management system or strategy is not a cut and paste exercise.
If you have engaged with a consultant then make sure they fully understand the challenges that YOU face and don’t accept their assumptions and viewpoints without ensuring they match with yours.
I would be interested though if any of you can come up with alternative meanings for the “three Rs” or highlight other areas where misunderstandings have arisen in the past.