A conversation with Chris about security and stuff – part 2
Wait just a sec, this is the second post of an interview with PaperCut CEO and founder Chris Dance. Read part one of this conversation.
Now, I don’t shy away from a little gossip in my blog posts, so I ask Chris if he’s heard any horror stories about human negligence. At this point, Chris has the biggest CEO-sized grin ever on his face.
“Oh, there are many horror stories and many I’d love to tell a story on, but I can’t. I can point to a number of situations where the way we think about security in the analogue space is that a lot of it is not about capturing or catching the perpetrator.”
I feel like I’m living in an episode of CSI: Camberwell with his talk of perps and situations.
Modifying user behavior
“It’s about modifying user behavior to prevent the accidents occurring, and it’s something as simple as someone’s printed out some patient records, or in one case there was a case where it was relating to a court case or something, and it was accidentally left on a train.”
That’s a lot of cases.
“And it went into the media,” he continues, “Because someone on the train picked it up and said to themselves, ‘This is obviously not meant to be public, I’m going to email my mate at the newspaper,’ and it became a story. It wasn’t a hacker coming in, it was an accident. That can happen to any business.
“So we often think of print security as the security before print, the security of the printing process itself, and more importantly – this is what’s often underbaked – security after printing.
“Sure you can protect that document for the second it transfers into the printer hardware,” Chris continues. “You can protect it for the five minutes it might be on the printer and not accidentally picked up, with secure print release,. But what about the 10 years that document is going to exist? So if you can do things like digital signatures, watermarking, archiving, visual watermarks where the user is reminded every time they look at that document, “Oh yeah, it’s got my name on it and this signature. I better not leave it on the train.” You know every time someone looks at a document, they are reminded of their obligations.
“So just those little tricks, where we’re not looking at catching the problem, we’re looking at modifying the behavior, through nudging, is actually where the big security gains come. It doesn’t matter if it’s email security, you know those nudges about not opening attachments from strangers, it’s not fixed with software, it’s fixed with nudges on human behavior.”
Whose fault is it anyway?
All this talk about accidental boo-boos begs the question: who’s to blame, ultimately? Is it the IT department’s fault if something gets left in the printer tray? Or is it the user’s?
“It comes back to that layering concept,” Chris begins.
Oh. Ok. We’re back on the onions.
“You might say,” he continues, “‘Someone left that on the printer – it’s their fault’. But if you follow it through the layers using something like the 5 Whys, you’ll end up with a better system. So use opportunities, whether it be a mind experiment, a thought experiment, or an actual event, to implement continuous improvement.”
A SIDE NOTE: 5 Whys is about getting to the root cause of an issue to solve a problem. It’s all very well and good to point an accusing finger when we see Arthur from payroll leave his sensitive printouts exposed. But why is it possible for that to happen? Lack of education from IT? Why? Lack of time to educate? Why? And so on.
I ask Chris what PaperCut can do to help systems administrators and IT managers to tighten their print security environments.
“If you go to our website and have a look at our security whitepaper, we’ve defined best practice for security. Not just software features; looking at processes, user behavior, and so on. It’s this high level, broad thinking that helps us innovate with our software, too.”
Not your normal print security problem
Chris then launches into the origin story of print archiving. And I’m pleased he does. It’s a cracking story.
“We were at a conference one day,” he begins. “And a teacher came up and said, ‘I’ve got an issue with printing but it’s not your normal problem. We’ve got a case where a student is bullying the staff.’
“What they were doing is this student had captured pictures on their mobile phone of staff members pulling unintentional funny faces.
“They’d then printed a hundred copies of these photos and posted them up all around campus. They wanted to catch who was doing it because it’s not fair on the staff, and particularly one or two targeted staff members.
“I said to the teacher, ‘That’s a really legitimate problem’. It wasn’t one that I’d ever thought of, from a print management perspective.
Chris pauses for a moment, remembering.
“That’s where print archiving, the initial idea of print archiving came out. Archiving every print so you could go back and inspect it, to protect those staff. And they caught him,” he remembers fondly. “So that’s an example where innovation comes from thinking more broadly.”
The future of document security
Our time is coming to an end. I ask Chris what he thinks the future holds for document management. Not for the first time, his response surprises me. I was expecting something about blockchains or wearables or AI or 4D or some such thing.
“I think one of the aspects in the print security side is really getting awareness of what’s currently available,” he begins. “What’s in our software, awareness of best practice. I think simplification helps with that. So can we simplify the features in our software, for example, to make it more accessible? Can we take best practice, which is working well at some organisations, and encourage others to do that by sharing that there’s a best practice or a benchmark?
“I think that a lot of innovation in print management is just getting what is currently available out to the masses. Simplifying it, making people aware of it, making it easier to set up.”
Suddenly, a wild thought appears: is Chris suggesting existing print management software is under-utilized?
You can apply the 80/20 rule. 80% of customers use 20% of features. We take anonymous usage metrics for PaperCut MF, we talk to our customers, it’s very, very clear.
“A lot of it comes from the mindset of, ‘I’m setting something up, and I’ve got a day to set this thing up. I’m only going to do what I can in the time I’ve got.’ Now if we can give the nudges where it becomes a continuous improvement thing, the more of those under-used, time-saving, security-minded features can be leveraged over time.”
Our time is up. I thank Chris. I feel a little smarter about document security. But perhaps not quite as smart as Chris.