Los Influenciadores frente a los usuarios de la era digital

The increased focus on security is relatively recent. Multiple attempts were made with the questioning to observe the causes of this change, both in general and the origin of the practitioners' own roles specifically. This was partly to provide an additional source of data – thought to be a relatively reliably-known matter relative more speculative recollections of history invited elsewhere – but also to explore individual incidents to avoid excessive generalisation concerning macro effects.

An unexpected insight was that some practitioners had personally agitated for increased security resources in organisations where it had not been a priority, noting the increased focus which had emerged externally and lobbying for greater internal emphasis.

“I was playing at being a team player and recognised that there was a bit that wasn't being done that needed to be done”

[MAN86E-DS66]

The management response in these cases was reluctantly to accept the need for change, but to delegate this back to the IT team. These agitators therefore reported gaining these additional responsibilities as a dubious “reward” for their efforts. This resonates with a code described later which notes where security is seen as a task to delegate rather than something to be owned by the board.

A potential network fragment emerges here. Boards need to ensure that “security is done”, which requires someone to whom the task can be entrusted whose judgement can be relied upon. Given the impact if unsuccessful, management requires a method either to guarantee their delegate is competent or – as some here mentioned – at least prove all due efforts were made, which discharges their personal responsibility. Some potential actants can be observed:

 managers who must delegate security-focussed work to a specialist,

 specialists to execute the task (a candidate profession),

 a device for those specialists to prove they are competent,

 a device for management to show due diligence, and

 a body to issue those devices.

This might be represented diagrammatically as in Fig. 11, using the key in Fig. 10. Throughout this chapter such diagrams will be used to illustrate the commentary in the text, identifying the principal actants, their interrelationships and the devices used to shape the network according to their interests. Such representations are of course only summaries, assisting simply by focussing attention on that part of the network under review. As networks are essentially unlimited and contain many potential alliances to examine, it is helpful to identify those fragments which appear most theoretically interesting, to help bound the discussion.

Focal Actant

Device Actant

Relationship, Action or Influence

Desired outcome

Fig. 10: Key to later network fragment representations.

Professional Association (Focal Actant)

Credential Employer

Practitioner

Government

Device of Interessement OPP for Proof of Status/Competence

Professional Association

Higher Uptake Mandatory Licensing Translation achieves...

OPP for establishing Competence when

Hiring

Discharge obligation to certify quality

Fig. 11: Derived network fragment observed in the certification market.

This particular network will only become irreversible when security becomes complex enough to require delegation to certified specialists and a recognised device exists which is sufficiently in demand to be effectively required for practice. At this point it moves beyond a device of interessement to an inscription: an unquestioningly accepted artefact which can be used as currency. At this time it appears that the network is not irreversible end-to-end, in that the lobbying of management for control or resources is recurrent, thus accepting the advice of the specialist is not taken as mandatory.

“Unless you can get to the delivery stage of it, you're going to be forever fighting that battle. Communicating, getting an understanding, getting an agreement, getting some budget, doing it; you've got to get past to the ‘get the budget and do it’ and maintain.”

[MIN48E-SM22]

Similar stories were heard from the educationalists, who had to lobby for security to be introduced to courses rather than rely on external demand for degrees.

“At the same time, we weren't actually teaching any IT Security here, so what I did was I got some IT Security lectures included in some of the modules that I was teaching on at that point in time.”

[EDU45E-CL31]

Naturally the recollections of the interviewees will reflect their own achievements and concerns, and they may not easily be able to describe the genesis of a role pre-dating their time in the enterprise. The analysis cannot therefore rely too much into the “statistics” of the data. It can however be reasonably inferred that the actions of independently-motivated internal individuals were a strong factor in the introduction of security roles in some organisations. It is also seen that there was no obvious compelling external pressure beyond mimesis to introduce security into computing courses; developments here were similarly influenced by internals taking the initiative.

This is significant, because an ANT account must examine whether these practitioners are simply gears in a mechanism which translates some external event (such as the emergence of the I Love You virus) into internal action within an organisation (creation of a security role), possibly in the mimetic sense noted by DiMaggio and Powell (1983). Alternatively it might see these people as actors in their own right, potentially using some artefact which can be used – exactly as occurred above – as a device of interessement. This might strengthen a campaign to secure resources by being the OPP to protection from the vaguely-defined external threat the item represents. There is some minor material suggesting that at least initially the new practitioners had some leeway in their actions given by the novelty of the topic and the lack of precedence for management to follow. To consider this fully, this data must be seen together

with that reported later, where the practitioners talk down the prospect of using external actions as internal levers.

A number of the roles covered had rather vague origins, without a solid report indicating a fixed cause, particularly where the event was external but not specified.

“Yes, it came from the head of department basically saying, ‘I believe we need an IT Security role.”’

[CHA33M-SM54]

These cases show only that an increased security focus was somehow being generated and presume this was by the commercial environment but without a clear view on the cause from this data.

5.4 Certifications

5.4.1 Overview

As was noted in section 2.4.3, a number of certifications exist which may play differing roles in the network, or none. The data addressed in this section is mostly derived from questioning the interviewees' attitudes to certifications and attempting to detect what role these play in their worlds. The sections show firstly how academic certifications show similarities in network structure to their commercial equivalents but play a distinct role in a subtly different network, alongside considering how and why people are attracted to take each and what factors are in the mind of those who create them.