If humans are the weakest link in data protection (per Verizon's 2016 DBIR) where are your security teams failing you?
When I explain to someone who asks what I do for a living, the response is ultimately the same regardless of the person's background. "Oh! Protecting information is so important, especially these days!" And yet, implementing and following good security practices seems to be a lot like exercise: everyone knows it's really important, but not everyone follows through. The great thing about following security guidelines, though, is that you can do it while sitting down! You don't even have to get out of your chair. 

Apparently there are obstacles other than physical exertion that prevent us from following through. Once my newly made acquaintances tell me how important security is, many also add how cumbersome and onerous their job is because of seemingly unreasonable security policies and procedures.  

But I get it. Reviewing and justifying your employees' access to data, or changing your password every 90 days can seem like an unnecessary burden. Does it really make a difference? Is it really worth it? (Spoiler alert: Yes! Just like exercise - if you do it right!)  

I've noticed three key areas that have contributed to successful security programs - and therefore the security teams that implement and enforce them:

1.  Culture - it starts at the top 
From my experience, the most important contributor to a successful information security program is company culture. If your executive team doesn't understand the value of data security and privacy as much as they do their assets, no one else will, either. If you work at a company where security isn't viewed favorably at the individual contributor level, it's likely that someone at the top still views security as a "necessary evil" vs. a function as integral as your customer service team. Effectively engaging the executive team should be the top priority for your security team, because no matter what else the security team tries to do or how, they won't be successful if the executive team isn't 100% supportive. 

Unfortunately, there is no single blueprint for security teams to follow to convince CXOs of the importance of paying more than lip service when it comes to security programs. A successful program is as unique as the people, products, and relationships involved. However, some there are recurring themes to keep in mind:

  • Corporate Objectives Drive Everything - An effective security team understands and internalizes company objectives, ensuring that security policies and procedures support those over-arching goals. The better your security team can link their project back to specific company objectives (i.e., SLAs for uptime, customer satisfaction and loyalty/trust, etc.), the more likely the security team will be supported and funded. 
  • Business Cases Are Your Best Ally - Provide a business case to justify the cost of each security project, product purchase, or staff member. Always report on actuals as projects are completed, products are deployed and employees come up to speed. Reporting on actuals helps the team continue to earn credibility and support. 
  • Solicit Input and Feedback - Your executive team is exceptionally smart. They specialize in areas that your security team doesn't. Invite them to provide suggestions and share their opinions on what will reasonably work and what needs changes, as well as what worked well in the past and what still needs improvement after implementation. A feedback loop that demonstrates you listened and incorporated suggestions of the executive staff and their respective teams will improve the likelihood of weaving security into the culture of the company.  

2.  Caring - understanding context encourages ownership
If you can't convince people to care about security, they're not going to follow through on even the most carefully crafted policies and procedures. The only way to convince people to care is to provide context for why the procedures are relevant to them (see first two bullets above) and what purposes the procedures serve. Once they understand the potential impact of not following through on change management, for example, they should be more willing to abide by the approval process. 

Convincing CXO's to care is becoming easier with each breach publicized in the news. A CEO whose company has lived through a breach or who has a colleague who has admitted living through one (because most are not publicized) will not need convincing. However, many executive teams lack the scar tissue that provides the invaluable context for why so many security policies and procedures are necessary. 

Even if they understand how damaging security issues can be, executives at start-ups are often still at a disadvantage if the company's security plan and budget wasn't included when they received funding.  Until investors start requiring companys to include the security plan and budget within the business plan, the security program that is eventually implemented will likely be a post-design seat-of-the-pants implementation of minimal policies and procedures required to pass a specific audit that a prospect requires prior to contract signature. But that's still one way to start caring about security! The key in that case is whether proper nurturing of the security program continues after the contract is signed.

Meanwhile, caring goes both ways. The security team must care about corporate objectives, as stated above, but must also care about the needs of the users. This is where the culture comes full-circle back to the security team.  Security team members must be approachable, must solicit input, welcome feedback, and incorporate the concerns of staff members and users without being defensive or judgmental. They are, ultimately, a service organization and not the other way around. Policies, procedures and the execution of them must be reasonable, which brings us to our third and final point.

3.  Productivity - it all ends up in the bottom line
A security team could develop the tightest security policies and procedures, where if everyone follows them there is little to no chance of a data compromise, but if they are too cumbersome they will be circumvented. They can implement auditing to make sure everyone is following the procedures, but finding areas of non-compliance won't matter unless there are consequences. There will only be consequences if the executive team has bought into the reasonableness of the policies and procedures. The executive team will buy into the policies and procedures only if you are able to convince them not only of the importance of those procedures, but that any impact to productivity, whether perceived or real, is justified through business cases and collaboration via feedback prior to, during, and after implementation. Which re-emphasizes the importance of the third bullet under 1. Culture.  

As you can see, these themes are as intertwined as the individuals and relationships between a company's different departments.  A successful security security program depends on the security team incorporating these concepts into the way they approach their responsibilities. 


In future posts, I will delve into specific and pragrmatic techniques a security team can use to be successful in these areas. Meanwhile, I'm going to hit the gym. 


About the author
Susan Walsh is a CISSP working with startups to implement security programs that make sense for their specific business. Contact her at swalshllc@gmail.com or follow her on Twitter at @SwalshLLC.




SWALSH, LLC HomeSolutions and ServicesSecurity SnacksAbout SWALSH, LLC
Security Simplified

SWALSH, LLC
Security Simplified