Security is more than a technical problem. It’s also a problem that includes having the right people to implement and follow the right processes. A company’s security technologies should make people’s lives easier — from C-suite to the line of business employees — because everyone has a shared security responsibility. For many IT teams, complex and time-consuming security tools can feel overwhelming, leaving them unable to use all the features and functionalities that would allow them to manage security more effectively.
Purposeful collaboration is fundamental to getting security right. To create this sense of community, security teams need to regularly engage employees, inform leadership, and demonstrate organizational value.
Know the Environment — Digital and Regulatory
Changes in workforce models and customer expectations make security and security teams increasingly important to all organizations.
Users expect digital interactions, but they also want organizations to limit data collection. Users have higher security and privacy expectations today. Further, when companies fail to meet these expectations, customers are willing to turn to competitors.
Second, more governments are passing privacy legislation directly related to customer demands, and since the enforcement of the General Data Protection Regulation (GDPR) in 2018, more legislatures have enacted privacy laws. In the US alone, in 2022, at least four more states — Virginia, Colorado, Utah, and Connecticut — will enact new privacy laws.
Finally, successful cybercrimes are easier to commit than bank robbery, and they are financially more lucrative. Cybercriminals recognize this, embracing Ransomware as a Service (RaaS) business models. This allows them to make more money stealing and selling data or holding it for ransom.
Understanding Context
Collaboration starts with education, which goes beyond the annual security awareness training. Just like people know that they must be aware of their physical surroundings, they need to be aware of their digital surroundings. Security leaders need to think outside the compliance checkbox and work to create a more sustainable approach to security and situational awareness.
In cybersecurity, situational awareness is about understanding normal tasks and daily workflows. Then, people can recognize events outside of that normal. Whether working on a computer, reading emails, talking on the phone, or interacting face-to-face, people must be cognizant of their digital surroundings in order to recognize suspicious requests and interactions.
How to Create an Effective, Collaborative Cybersecurity Program
Most activities in cybersecurity fall under the “easier said than done” category, but using the best team-building practices makes it easier.
1. Understand Different Perspectives
The first step is to pose these two simple questions to everyone in the organization:
- Do you see any risks that the company’s not addressing?
- How do you think we should fix those problems?
The first question provides visibility into new risks since people in different roles see risk differently. The second question reduces risk by getting people to feel ownership over creating and following processes.
2. Assign Clear Responsibilities
People need to know how the organization defines its responsibility from the following perspectives:
- Operational
- Ownership
- Compliance
- Security
Mature companies often have these roles and responsibilities clearly defined. Organizations should create these definitions as soon as possible because waiting until the company “gets big enough to need it” leads to technical liability.
3. Start with Critical Teams
Organizations don’t need to transform everything all at once because that can be overwhelming. It’s easier to start with one critical team to:
- Develop well-defined roles
- Implement segregation of duties
- Define operational and compliance responsibilities
4. Self-Assess People, Processes, and Controls
Conduct routine self-assessments to ensure people follow processes and document compliance with internal controls.
Monitoring user access can show holes in processes and potential points of improvement. Documentation, such as through logging, proves that the controls are operating effectively for the compliance team.
5. Name Security Ambassadors
Security ambassadors don’t need to be technical. These people care about security and feel a sense of ownership over it within their teams, helping to identify risks and implement controls. Then, the IT or security team can use technology to document whether the controls are working.
Access management is a perfect example of this. Managers best understand the access their employees need. The definitions and decisions aren’t technical.
Remember the Human Element
Security starts with people, and technology should support them effectively. By starting with people, security and IT teams can find that many of their currently deployed tools give them what they need to build a collaborative cybersecurity program.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.
