Information security managers typically focus on managing risk and implementing technology controls. Yet despite a recent focus on the important role of the human factor in information security they often neglect to consider it in their planning. When they do consider human factors, attention is often focused on training security staff and developing security awareness and education for users. Little if any attention has been devoted to analyzing interactions and patterns of communication between security professionals, their managers, and corporate executives. This presentation will explore aspects of successful risk management for security officers by drawing upon lessons from other high risk professions that have a cultural legacy of overcoming risk.
The foundation for this presentation is based upon Malcolm Gladwell's Outliers, a book about cultural legacies and their contributions to success and failure in business. We adapt and extend Gladwell's work to analyze the human factors behind major disasters in areas such as surgery, nuclear power, and military special operations to identify best practices security professionals can use to develop our own rich cultural legacy to ensure success and minimize risks due to communication disconnects. We will derive a list of key indicators that act as warning signs of impending disasters or breaches. We will also present a list of predictors of effective communication between information security professionals and stakeholders. We conclude by recommending specific actions and training objectives designed to dramatically improve risk management outcomes.