Security teams can’t protect what they can’t see. While monitoring tools are getting better, end users and business managers need to tell IT and security teams what they’re doing with data on different applications, and more importantly, when something has gone awry.
A culture of blame and fear when it comes to security means end users won’t tell you if they are using an unsanctioned app, have clicked on a malicious link or have seen unusual activity until it’s too late. Security teams should empower users with a culture of personal responsibility so that they treat data security in the same way they approach other company policies like health and safety.
A blame culture encourages poor security
Seeing humans as a weak link and creating an environment where employees fear reprisal for security failures isn’t a good way to run a company. Yet some organizations have taken extreme measures to punish victims of scams. A media firm in Scotland fired and sued one of its staff after she fell for a phishing scam and handed over almost £200,000 [$250,000] to fraudsters impersonating the company’s managing director requesting a payment to be made. Brian Krebs recently posted about instances of employees being fired for failing phishing simulation tests.
This kind of blame culture only makes employees less unlikely to come forward when something does go wrong ... and it puts data at risk. “The people handling the information, they can't be the weak link,” says Mark Parr, CISO at KPMG UK. “I want people to feel comfortable and that if they've made a mistake, they can tell me. That's all about building trust and for my colleagues to feel that I'm actually there to support them and not there as the stick to beat them if something should go amiss.”
To help build this trust between security and staff, KPMG has started a program that recognizes staff for highlighting security issues within the company. “I want to develop that culture where people are happy to tell me or to report into our helpdesk if there is an issue or something has happened,” Parr says. “We have an internal system where we can recognize staff and other members of staff can see that. If somebody comes to me and says, ‘I noticed this and it's a bit of an issue,’ then I will let their line manager know that this person stepped forward.”
Given the linkage among business and personal systems, applications and devices — whether via BYOD, people accessing personal emails from work computers or vice-versa, or using personal SaaS accounts for business purposes — bad personal security is another attack factor into an organization, warns Graeme Park, head of global security operations for UK ecommerce retailer The Hut Group (THG). It’s up to the business to combine the right level of controls with education, without resorting to scare tactics. “It's a re-education piece and about making security approachable, rather than coming down on them like a like a ton of bricks,“ says Park.
As an example, Park describes web proxies as often “using a hammer to crack a nut,” and a better approach would be to log everything, and include warnings if users visit sites that break policy and require the user to provide a justification as to why they need to use visit that page. “You're educating them about security at the same time as applying control, making them think and you make them justify it,” he says. “If people do that, they'll make a conscious decision of whether what they are doing is right, is safe, is in line with policy.
“They also know that it's audited then at that stage, so it actually makes them think about it a little bit more. It's empowering them a little bit more,” Park adds.
What a good security culture looks like
If a blame culture is bad, what does a good security culture look like? “It's people intuitively understanding the risks that are associated with their day to day activities and knowing and having the confidence to be able to mitigate that risk or handle that risk,” says KPMG’s Parr. “We absolutely have to move away from this idea of 'everything is fine, the CISO is looking after that for us.'”
These are the four key areas Parr and Park believe CISOs should concentrate on to provide a strong security culture.
1. Make security accessible
Since Parr became CISO a little over a year ago, KPMG UK has been on a journey to change its approach to security culture and education within the company to ensure the firm’s 16,000 UK staff across 27 locations were all on the same level when it comes to security awareness. “Good [culture] is people being confident and comfortable with information security, and not feel that it's a science or a black art,” says Parr.
A key aspect of creating a security-minded culture is making it relatable to the audience, so KPMG’s security education content has been put into as plain and easy-to-understand language as possible with scenarios crafted so they are applicable to staff. “I want people to think the same about information security at home as they would work, and by setting those real-life scenarios, and giving people real plain clear direction has been key to that,” says Parr.
“Whether you're part of the front-of-house staff that are helping clients move into one of our client presentation suites, or you're delivering an audit, or you're on the tech team that's helping clients through a technical issue, the language is the same, and they can all absorb it in the same way.”
Giving people that grounding makes it easier to understand for the end-user, and in turn means they take the security of company information more seriously as they can visualize the consequences for getting it wrong. “Accountability is a real key to success for me,” says Parr. “If people feel that they understand why they're accountable for handling and management of that data, then I've got it right.”
2. Provide continual awareness training
As part of this culture change, KPMG has moved from point-in-time presentations and assessments to what Parr describes as a “a steady drumbeat of awareness” through events, training, videos, and podcasts. “Watching a PowerPoint slide deck, clicking through as quickly as you can and answering 20 questions at the end and hoping you pass doesn't really show me anything. That just shows your ability to retain some information from slides. What I what I want is for people to understand that there's some rules and guidance available, to know what they can and can't do, and their role to play.”
“It starts with a release of a very plain language, easy to read policy document that's been condensed into one page of headlines just to capture people when they have just got a moment to read it,” says Parr. “Then [it goes] all the way through to little three-minute vignette videos that they might watch when they're on the train on the way into work. It's about keeping that continual drumbeat of activity going, so that people are always being reminded.”
While measuring culture can be difficult, Parr has worked with the company’s learning and development team to create engagement metrics around how many of the company’s staff are listening to podcasts, watching the videos and engaging with the other security content the team is producing. This can help provide an indicator of whether material is striking a chord with the staff.
“I've also got to keep thinking about new ways engage with our staff,” he adds, “not just try to beat them over the head with security, but actually getting them much more involved in what it is I'm trying to achieve.”
To help drive engagement with the materials, regular messaging from the organization’s leadership encourages people to watch, read and listen to the security materials. “Business information security officers” sit in operational areas of the business as information security subject matter experts. They encourage staff more directly to participate.
3. Partner with employees on shadow IT
Rebuking employees for using unsanctioned apps – known as shadow IT – is equally ill-advised as firing them for security failures. “Shadow IT has been around as a problem for a long time,” says Park. “The drivers behind it are really that pervasiveness of IT systems; whether it's software or hardware, in the home and everywhere else.”
“People aren't bad; they're not trying to use shadow IT to deliberately circumvent company policy or company security. It's usually the case that they just want to do their job better, faster, easier,” says Park. “It’s a failure of IT and security; we can change from being that blocker to being an enabler to make sure that people have got the tools that they need to do their job.”
Park says shadow IT can range from SaaS services or unsanctioned desktop applications to what he describes as “smaller but just as impactful shadows” such as integrations into Slack or JIRA, browser extensions, or even Amazon Alexa-like devices on corporate networks. Whatever form the shadow takes, IT and security need to be more open to accepting it because fear of reprisal for circumventing company policy will lead users to never telling IT what they are doing.
“We need to be smarter about this. It's going to happen anyway. If there's limited risk in using some of these external tools -- let's say a design tool somebody wants to use for branding and graphics that are not particularly not classified -- there's potentially limited risk around a scenario like that. You need to be able to give people a degree of flexibility,” says Park.
4. Demonstrate what good looks like
Changing the security culture within a company also means a change in mindset from the security team. In the same way that staff want a CSO to be a good communicator and leader, the security team needs to follow suit and be both visible and approachable.
“Security has not done a good job over the last ten years of being an approachable, understood concept,” says Park. “We struggle to talk in plain terms, we struggle to articulate risk without articulating real fundamental technical problems.”
Instead, he says, security needs to get its messages across in a way more akin to health and safety warnings. “It's very easy to explain to someone why they shouldn't climb a ladder without some personal protective equipment (PPE), because the impact is very visible and obvious. Explaining to someone why they can't use Dropbox when they should use SharePoint is it a little bit harder to get the point across because it doesn't look to them like it has the same impact.”
“We need to actually be engaging and educating and make sure that people understand what they're doing, understand what happens if they do lose certain documents or intellectual property, but also empowering them," says Park. “There's absolutely massive value in framing the problem in a personal context.”
Parr has been working with the security teams to change their mindset to become ambassadors and champions of the kind of security culture he is trying to instill in the rest of the company. “They're demonstrating what good looks like, and they're continually showing our colleagues what good looks like,” he says. “For a long, long time, information security was seen as the bit of business that threw the wet blanket over that wonderful, spark of a bright idea that somebody had. It isn't like that. I'm there to absolutely help the business understand how we can operate and advance but do it safely and securely.”