What have modern policing and cybersecurity got in common? Both sometimes suffer from a lack of perspective and alienate the public that they’re supposed to serve, according to Brendan O’Connor. As a lawyer working in the cybersecurity space, the SecTor 2016 speaker sees a lot of opportunity for both cops and security pros to improve their game.
At SecTor this October, the security researcher and senior security advisor at Seattle-based Leviathan Security Group will offer an alternative approach to policing security that draws on principles extending back almost 200 years.
There are nine of these principles. Known as the Peelian principles, they’re named after Sir Robert Peel, the UK’s home secretary in 1829. Peel helped establish the modern police force, and as such promoted nine principles of good policing (most probably written by the first joint commissioners of the Metropolitan Police).
What cops and security pros have in common
Written for police officers before Charles Babbage designed the first mechanical computer, these principles are nevertheless useful for cybersecurity pros. That’s because your average security practitioner has much in common with the average cop.
When bad things happen, each has to do some shoeleather detective work to deduce the cause. Most of their jobs are spent trying to prevent those bad things happening in the first place, which means policing the public.
The Peelian principles – now commonly known as ‘policing by consent’ – refine the relationship between the police and the public. Essentially, they say ‘maintain order, but act in such a way that the public wants to help you do it”.
There are many opportunities for security pros to maintain order by saying ‘no’. When Maggie in marketing tries to copy the entire customer database to a USB drive so that she can work on it at home, it’s the information security pro that stops her. When Andrew in accounting tries to install a dodgy shareware PDF editor that he found on an obscure web site, the security cops must step in.
That’s fine, said O’Connor, but there are ways of stepping in. Just don’t be a curmudgeon about it. Use the Peelian principles to help empower those users rather than making them feel guilty and oppressed.
The rules of engagement: play nicely
Today’s police and security pros alike clearly follow some of these principles. Principle one defines the basic function of the police as preventing crime and disorder.
The problem lies in some of the more nuanced rules. “The ability of the police to perform their duties is dependent upon public approval of police actions,” says one. “Police use physical force to the extent necessary to secure observance of the law or to restore order only when the exercise of persuasion, advice and warning is found to be insufficient.”
In physical policing, some police forces seem to follow this rule more closely than others. There are different approaches to maintaining law and order. Similarly, some cybersecurity practitioners may shame and scare their users, constantly admonishing them for bad behavior, while others may enforce their security policies in more conciliatory, productive ways, O’Connor said.
“Don’t set yourself up as ‘I am the law’ – the American policing mentality,” he warned. From a security perspective, don’t be the person that always says ‘no’.
Instead, he advises security pros to facilitate and guide. Maggie can’t take home an unencrypted customer list, but perhaps there’s another way for her to do her job more securely. By listening to employees and working with them, cybersecurity pros can build trust.
“The answer is always going to be ‘Yes we can do that, and yes we can make this happen. I’m going to get my job done if you’re able to get your job done and don’t hate me’,” he said.
Like the best cops, the best cybersecurity pros will do these things behind the scenes, keeping order without making a fuss about it. Cops don’t need to drive tanks through the streets to police effectively, and in fact this overt, strong-arm policing can be counterproductive because it destroys trust. That’s another Peelian principle that applies to cybersecurity, O’Connor said.
“The visibility of the security function isn’t how we should be measuring whether it’s effective,” he said. “Don’t scare the company just to scare the company.”
Being the kind of security pro that adheres to Peel’s Principles means having to work harder, he points out. It involves researching alternative solutions that enable employees to get things done securely. It takes a mixture of imagination and interpersonal skill.
Ultimately, this means being more like a UK beat bobby than Dirty Harry. Know your users. Help where you can. Police by consent. Because then, when you really do need employees to co-operate, you’re more likely to get what you want.
Hear O’Connor’s talk about the Peelian principles at the SecTor conference, which takes place at Toronto’s Metro Convention Centre this October 18th-19th (with a day of training on 17th). Register here.