September 2023

Published: 13 September 2023

Managing the Human Factor in Information Security by David Lacey

Managing the Human Factor in Information Security by David Lacey

David Lacey is a researcher, writer and innovator in Cyber Security and IT Governance, with more than 25 years’ experience directing IT Security and Governance for Shell, Royal Mail and the UK Foreign & Commonwealth Office. He has written a number of books and numerous articles.

Writing a book on any subject in a way that is engaging and relevant is no easy task. Perhaps especially so when we are talking about data protection and information security which have a reputation for being rather dry and impenetrable subjects.

I am only sorry that I have not come across Lacey before now. What a wonderful writer he is! Even the list of contents is worth pausing over (e.g. Power to the People / There’s no such thing as an isolated incident / Zen and the art of risk management).

This book was published a few years ago but is as relevant (if not more so) today when we seem to be drowning in stories of data related failures.

Lacey gives us not only a comprehensive analysis of where the vulnerabilities are, but – importantly – also offers us practical and do-able solutions not only for those responsible for the technology, but for anyone interested in business/organisational success (which should be everyone!).

It is one of the most constructive, hopeful and practical insights I have come across in a long time.

“Risk management will always be a major challenge. It’s an unusual blend of logic and feeling, with the latter dominating the former. And most people are bad at assessing risks. They have different perceptions, shaped by their personality, experience, culture and other influences.

Information security is a long-term journey. The starting point is to develop a clear vision of what needs to be achieved, and a strategy setting out how we intend to get there. Everybody needs a structure for their work, but its important not to become distracted and lose sight of our real objectives. Frameworks and architectures are a means to an end, not an end themselves.”