Framing People-Centric Security
This book is about giving organizations and security professionals a new language and new tools with which to discuss and improve information security. This language and these tools directly address a corner of the people-process-technology triangle that has been traditionally neglected by the profession and the industry. Peoplecentric security is not necessarily more important than the other two corners, although I think a case can be made to that effect, but it is equally important, and any InfoSec program that does not include people-centric approaches that are taken as seriously as process or technology is not going to have long-term success. When you have a three-legged table, there's no way to skimp on one leg and expect the resulting piece of furniture to be stable. It just doesn't work.
Security Soft Power
In foreign affairs, the concept of soft power refers to a nation's ability to get things done by convincing other nations to work with it, rather than by bribing them or resorting to military force. Soft power is also used to change public opinion through less direct and coercive channels. Joseph Nye, the political scientist who coined the term soft power, has commented that credibility is the most valuable and rarest resource in an age of information.
I could not agree with Nye more. The single greatest weakness I see in InfoSec programs, security vendors, and security professionals is a lack of credibility. No one doubts that security is important, but the security industry struggles to make the case for just how important it is, where resources should be allocated, or what constitutes effectiveness. The result is that security is naturally drawn into cultural competition with others who, no matter how critical they believe security to be, don't believe security is as critical as the things they care about. If security cannot make itself more credible in these conflicts, failures and breaches will continue to happen.
Security affairs need a soft power approach, an alternative to coercive policies and automation that attempts to force people to take security seriously without ever really convincing them of why they should. That sort of approach only works until those people can figure out how to get around the constraints, either directly or by undermining them within the organization. People-centric security concentrates on understanding how organizations think and behave as individuals and collectively, and crafting approaches to security that work with these social and organizational forces rather than against them.