Security Officer's Anti To-Do List
You are a result-driven security professional who is committed to constantly improve auditing processes in your organization. You've read tons of articles. This one is probably the seventh article about IT security you read today. You introduced countless policies and controls to protect your company's digital assets. You are doing regular compliance reviews and...
Wait a minute. With all these best practices to follow, it's easy to get lost and become a real security freak. At some point, introducing new guidelines won't benefit your organization anymore. You might think that new review and control activities will improve overall security but they'll do quite the opposite.
I want to discuss a few behavior patterns security officers and IT managers tend to fall for. Though these practices seem to be rational and established for a good reason, in reality, they are toxic and harm the organization. It's necessary to recognize these patterns early and avoid them. A great idea is to step behind and adjust security strategies to make the whole process effective and employee-friendly at the same time.
Here is the list of items from the security officer's anti to-do list.
Sending a Security Newsletter Every Day
Every day at 12 pm you send an IT security newsletter. Sounds like a good practice, right? With these emails, you raise awareness among your co-workers and help them navigate the world full of digital scams and threats. In theory, a daily reminder is a great way to stay on the same page with colleagues. But is it as good as it sounds?
Now, I need your honest opinion. How often do you read company-wide emails sent in the middle of a busy working day? How do you feel when yet another notification pops up during the rush hours? I bet slightly irritated is a relatively mild description of how you feel. Actually, your co-workers feel the same way.
While ensuring security and mitigating risks is your full-time job, their daily tasks are different. Even the most engaging newsletters are disturbing if they are not relevant. If you send your security emails with the same subject every single day, most employees will create a rule to move these emails directly to the Corporate spam folder. And these emails will never ever be read.
Should you come up with a unique subject every day? Please, no! You won't encourage your co-workers to read your emails. You will literary force them to block all emails from you. In this case, there is a huge possibility they will miss an important breach alert because you gradually taught them to ignore all messages from you.
What can you do? Try being less intrusive—send reminders every now and then but not as often as you used to. Remember that the main purpose of a security newsletter is to educate employees and not to show how important or hardworking you are. The emails you send must address a certain issue such as a recently discovered breach and provide mitigation or recovery steps. To share general security ideas, set up a corporate educational portal and encourage co-workers to complete training.
Looking Distant and Superior
Being concerned about digital security and committed to amplifying your skills, you can easily become distant from your co-workers. You know more about the organization's operations than an average manager or office clerk. I bet at times you feel superior since you are on the first line of defense and deal with threats most employees are not aware of. From co-workers point of view, your job might seem like a bit of mystery.
Is it worth keeping a mystery around auditing and security? For sure, you have access to audit data for a good reason and not everyone should have the same permissions. Still, being silent and arrogant in your field does not help you build trustworthy and healthy communication with your co-workers. Although you might be way better educated in digital security, your main goal is to bring them on board and encourage everyone to participate.
Demystify your auditing workflow. Make it transparent without sharing sensitive data. Explain why you enforce certain controls and why they are important. Teach your fellows to identify common threats and encourage them to be proactive. Instead of being distant, let them know that you are available for friendly advice on security-related questions. Great communication is a valuable asset when it comes to IT security.
Treating Employees Like Criminals
I can't blame you if you became kind of a control freak with all these threats around the corner. If you work in the industry that is prone to espionage and digital scams, you expect intruders and external attackers try to break in any moment. Of course, you are keeping an eye on co-workers as well as you never know if you have malicious insiders in the company. And you are right.
At the same time, being concerned about digital security shouldn't make you overly suspicious. Please, never ever treat your fellow co-workers like criminals! Even if someone happens to violate your security guidelines, don't punish or shame your colleague! Investigate the case, explain the threat, provide friendly advice and make sure to be polite.
In most cases, your colleagues break basic security rules because they are reckless or because they are not paying attention to your job. After all, they have their own tasks and deadlines. When you threaten your co-workers with countermeasures or publicly blame them for minor issues, you don't work towards your auditing and security goals. With this type of behavior, you actively demonstrate that your co-workers are incapable of maintaining the company's digital assets and cannot be trusted. And in the vast majority of cases, it's not true.
Try changing your behavior and the way you communicate with colleagues. Be friendly and supportive. Be the first one to answer questions, educate and explain while being respectful. Soon you'll see that more and more people are willing to follow your guidelines and you don't need to force or threaten them.
Enforcing the Strictest Policies Possible
Combating risks is a hard job. What could be more effective than enforcing the strictest policies? External attackers will have a hard time to steal an employee's identity. Rogue insiders will have troubles accessing corporate assets. Sounds like a good idea, doesn't it?
In fact, establishing some really strict policies and guidelines might harm the organization's operations and actually decrease security. When the guidelines are overly complicated and difficult to follow, employees tend to find ways to overcome the obstacles that keep them from doing their job. For example, here are some actions your co-workers might be doing right now:
- Writing down complicated passwords on a Post-it note. One can easily forget a password if any service within the organization requires a unique 20-character long password that is changed every two weeks.
- Printing out files with sensitive data. On the important business meeting, no one wants to spend valuable time passing multiple authorizations.
- Sharing data through messengers with unauthorized employees. Probably these employees are waiting to be granted permissions but the change control procedures in your organization take a long time and require multiple approvals.
These are just a few examples and there are many more. At times, your co-workers are so tired of time-consuming and multi-tier authorizations that they find workarounds. Don't blame them. They don't mean to jeopardize your work or security in general. In most cases, what your colleagues are really up to is doing their job.
Your best choice is to set up a monitoring system that won't distract them while keeping you alerted on suspicious events. With on-going monitoring established in the right way, you'll have detailed information about activity and enough time to mitigate risks.
As a Conclusion or What to Include in To-Do List
I don't want to say that breaches never happen because of employees. Some employees may turn up to be rogue or malicious users. What I want to say that you shouldn't grow the culture of suspicion and punishment in the company. Your co-workers should be your best allies.
Building great communication with your co-workers is a priority # 1 in your to-do list. Make sure to be friendly and approachable, be prompt to answer questions and educate your colleagues, be there for them. At first, this can be tough. You can check out some reasons why your colleagues violate your policies in this article: Employees Jeopardizing Security Policies. Help! Remember to encourage everyone to be proactive and security-concerned. Positive motivation proves to be more effective when it comes to human beings.
# 2. Regularly review your auditing and monitoring techniques. Check out the Four Basic Steps the Auditing Process Consists Of article to learn more about auditing basics. Enforce policies that improve both security and operations in your organization.
# 3. Set up an effective change auditing workflow. Cygna Auditor is a great tool to get into what's going on in your IT infrastructure. Keep a bird's eye of operations in general and enable alerting for business-critical assets. Keep track of permission changes and user activity outside working hours.
# 4. Prepare a remediation plan and decide how you're going to handle risks. To learn more about risk management, see Best Practices: Risk Assessment Strategy.