There’s a cliche running around that all companies are turning into tech companies. While many may not agree with that statement, what is undeniable is that technology continues to be a driving force for companies seeking to produce more, at a faster rate while paying less. Finding efficiencies is the primary objective for organizations big and small, young and old. The rapid adaptations of business practices and services raise the level of difficulty for Information Security programs. Security is asked to provide visibility, prevention, and response services for environments that are ever changing and the truth is that technology itself is not enough to help us address our problems. We all instinctively know this, but it’s worth repeating. Human relationships are the cornerstone of an effective Information Security program.
This post may seem silly because you’re likely reading this thinking, “of course it’s about people,” but think about all the missed opportunities you may have had recently to build and maintain a positive relationship with someone or a group of people that could help you accomplish your goal. Commonly security may only think about what types of relationships within IT are needed to be successful. Service Desk, Network Operations, Server Build Teams, etc.… However, the world is much bigger than IT, and successful security teams have begun to realize that integration with the business, and not just IT, is paramount to protecting an organization. The development of these relationships amounts to the development of an infrastructure designed to facilitate intelligence, improvements, and response capabilities for an Enterprise Security Program.
A Security Manager’s primary goal is to improve the overall efficacy of an Enterprise Security Program. Every organization on the planet has more problems than answers and are, at some level, resource limited. Traditionally executive management addresses issues, especially complicated matters, with budget dollars. This approach has two genuine problems:
- The days of fat security budgets are nearing an end
- Blinking boxes are inherently limited to the IT systems that you can integrate them with, and thus severely limited.
The Cyber Security Industry is massive, but the days of unlimited budgets will eventually come to an end. At a certain point, executives will begin to question what exactly they are getting for their investments, and a lot of us will have difficulty answering that question. Breaches continue to happen, threats escalate, and our answers always seem to be we need more money for more tools. Something will have to give, and the realization may be that breaches or attacks themselves don’t necessarily represent a death sentence for companies (look at Target and Home Depot). Effective Security Programs need to start planning now for this eventuality and begin trying to figure out how to continue providing services without a massive budget.
Even if budgets continued at their current pace, the reality is we are still missing out on so much. You cannot implement a tool to detect changes in your organization’s relationship with different vendors, or help move a purchasing request through your supply chain group, or gain acceptance of your team when they begin to work with people in the field. These human-dominated domains are critical to your ability to manage organizational risks as they relate to technology. Developing powerful partnerships may sound good, but here’s a challenge you may be facing… Nobody likes to work with security. It’s a fair point of view because frequently security is charged with pointing out problems with a plan. Ever hear the phrase, “it’s easier to ask for forgiveness than it is for permission”? Yeah… that sums up working with security. Let’s get to the meat of this post. How do we start to transform our Security Program into one with a strong relationship infrastructure that enables us to gain the organizational buy-in and the partnerships needed to push the bar forward? Every organization will be different, but here is what has worked for me. Refusing to be punitive, not being the team of no, and understanding the processes of different business units.
REFUSING TO BE PUNITIVE
Many organizations perform phishing training on their employees as a way to raise phishing awareness and help provide employees with the tools needed to identify and report phishing attempts. The training itself usually takes the form of a phishing campaign with results reported to members of management. Most organizations realize this, but it must be said aloud. If you allow the outcomes of the phishing training to go beyond your team, you run the risk of letting other managers use your work for punitive actions. Nothing, and I mean nothing, will damage your reputation and prevent people from working with you like using their missteps against them. An important concept we practice on our team is the idea of positive intent. We do not believe there are many instances where employees intentionally click on a phishing link or install a piece of software that wasn’t pre-approved. Sure there are insider-threats, but these threats don’t go about trying to click on links to help fund a Nigerian Prince.
FIGHT BEING THE TEAM OF NO
Saying “No” is one of the most important and powerful tools in the Enterprise Security team toolbox. But remember what Uncle Ben once said to Peter Parker, “with great power comes great responsibility.” The importance of this cannot be understated. We must strive to be the team of yes and “here’s how we would do it” or something to that effect. By saying yes, we become a partner. When we say no we become an adversary. Worse still when we allow ourselves to become the team of “no” we begin to build negative behavioral patterns that create long-term negative impacts on the organization.
What kinds of negative behaviors are we encouraging? Well for starters we disincentivize teams from including security from the jump. We also allow security to be potentially weaponized by those seeking to kill a project. Security’s job should be to measure and address risk not make strategic or project-based decisions. Lastly, by saying no we give off the impression that Security knows better than the business units and that the ideas coming from the people performing the work are inadequate. The reality is that security rarely understands the nuances driving projects and frequently attempts to protect everything as if it were gold. The reason? Security often doesn’t understand the business units we are serving. Speaking of which…
UNDERSTANDING THE PROCESSES OF DIFFERENT BUSINESS UNITS
How can you possibly defend what you do not understand? The value of enterprise security is the understanding of the risks involved in the business and how various systems work together. Limited contextual knowledge is the big knock against MSSPs (in my opinion). Imagine shipping 100% of all security efforts to a collection of people with no real connection to the nuances of your security posture. Now imagine this but from YOUR customers. They have goals and efforts just like you, and typically they’re not standing between you and the things needed to accomplish your goals, but in many ways, security DOES stand as an obstacle for other business units and the things they’re trying to achieve. Sometimes for a good reason, sometimes not.
Empathy is an incredibly powerful emotion as it helps bond two people or groups together. When you spend the time getting to know someone or a team and how they perform their work the results are, increased connectivity and a better ability to deliver tailored security solutions designed to meet the need rather than the assumption. The last result is a partnership that can be called on at some other time to help with an issue. By creating empathy between ourselves and the people we are serving the relational infrastructure we are striving to develop gets established. We all ultimately want the same thing, in the end, don’t we?
There will be an expansion on some of these thoughts over the coming weeks. Specific partnerships with groups like Supply Chain, or an Operational Technology (OT) groups can yield incredible benefits. However, starting to establish relationships with business units across your organization yields treasure troves of intelligence which can be fed back into your security group to further on the improvements. Don’t let the blinking boxes dominate our imaginations. It’s people that help us drive security most.