People Centric Security: Transforming Your Enterprise Security Culture

Lance Hayden

Published by

McGraw Hill

ISBN

9780071846776

RRP

£36.99

Reviewed by

Jim McGhie CEng MBCS CITP

Score

5 out of 10

People Centric Security deals with the understanding, measuring and transformation of the security culture of an enterprise organisation. It is written in three distinct parts. The book starts by asserting that the world of IT is in a state of crisis brought about by data breaches leading to major security incidents.

Recognising that society has undergone a major culture shift brought about by adopting networked digital technology, the author claims that what is required to deal with these cultural changes is to furnish the individuals responsible for information security with a new set of concepts and techniques.

The book considers that a people-centric approach to security is not just simply addressing the threat brought about by humans in the operation of IT and designing procedures to cope with problems that may arise. An effective approach needs to go much further looking beyond the organisations immediate security needs to embrace the design of systems that put people at the centre. The author then considers cultural threats and risks in some considerable detail in order to round off part I.

Part II covers the measurement of security culture. It asserts that in any organisation there are multiple competing cultures each reflecting local values and priorities. It is highly unlikely that everyone in the organisation is sharing the same beliefs and assumptions regarding how security should and does work.  

The author proposes a framework on how best to interpret and compare cultures. Tools are provided to allow the reader to survey and unravel cultures along with mapping techniques to allow them to be displayed and communicated diagrammatically. On the author’s own admission, this part is a fairly intense section of the book.

The steps and the work necessary to transform a security culture is the subject of part III. A FORCE behaviour model is proposed for the implementation of people centric security. The origins of the model are first discussed along with its five core value and applicable metrics. The book concludes by considering at length, amongst other things, the security value of failure, resilience and expertise.

The book is likely to appeal to a fairly narrow readership amongst project managers and IT culture-orientated specialists who are possibly seeking an alternative approach to the more traditional way in which culture is dealt within organisations.

I award the book five out of ten in terms of its readability and value for money.

Further information: McGraw Hill

January 2016