For the last 4 years, I have been an outspoken advocate for the implementation of, what I consider to be basic, security controls. I have preached the gospel of NIST and CIS frameworks to anyone that would listen, expounding the benefits of limiting administrator access, least privileged user, and password policies to all. In my past advocacy, I would often encourage the implementation of security controls at any costs.
When IT or management would make objections based on feelings or culture, I would quickly dismiss them as being illogical and countervailing to progress. If Max in accounting doesn’t “feel” like the company trusts him because after 20 years they restrict what data he has access to, then who cares? When it comes to security, there is no time or reason to entertain irrational complainants. Or at least that’s what I thought.
I attended a WMISACA event recently and saw Jay Kennedy speak about insider threats. The presentation really got me thinking about what type of cultural impact new security controls may have on an organization. Is it possible that the actions we take are sending a message to our coworkers that they are untrustworthy, or worse is viewed as a violation of the trust they have in the organization and its executives? If this is happening, we have a problem.
I don’t know the full impact of the erosion of trust, but I do know there is a correlation between trust and insider threats. Obviously, insider threats aren’t created in a vacuum, and factors like financial motivation and perceived unfairness all come into play as well. But as security and IT professionals do we really want to play any role in creating new risks? What can we do to mitigate this?
I think it is worth the extra effort to explain, in plain English, new security controls to management and executives but also to the employees who will be directly affected. We need to give them time to ask questions prior to implementation and establish a timeline so that no one is caught off-guard when the changes occur. We need to educate our end users, so they know why security is important and why we are making changes. We need to get feedback from the staff as to what can be done to improve implementation of the next security control. We need to do this while continuing to reinforce the benefits of improving security to not just the organization, but to them as individuals. We all know the impact of executive buy-in on security initiatives. What I am advocating is to take this one step further and get user buy-in.
If we ever want to succeed in improving security for our organization, I think we need to strive to create a culture of security.
Written by Josh Gembala, ASK ESS Manager