By Jim Nitterauer, Director of Information Security, Graylog
Often, companies approach cybersecurity as a technology problem, forgetting that people and processes are also part of defending against threats. It’s important to remember that those technologies exist to make people’s lives easier and that people must be an essential part of security.
Effective cybersecurity requires purposeful collaboration across all departments, from senior leadership to individual contributors. Getting everyone on board with security requires setting goals that engage employees regularly, keeping leadership up to date, and demonstrating value back to the organization.
New Challenges in a New Landscape
Security – and security teams – are increasingly important to all organizations.
Today, customers want digital experiences, but they also expect organizations to limit data collection. Customers have higher security and privacy expectations today, especially as data breaches and ransomware attacks are often in the news.
This directly leads to the second challenge companies find themselves facing. In response to these news headlines, more governments are passing privacy legislation. While the General Data Protection Regulation (GDPR) is no longer new, we can’t underestimate its impact on the regulatory landscape. In November 2020, Californians voted to update the California Consumer Privacy Act (CCPA), renaming it the California Privacy Rights Act (CPRA), which included several new, stricter requirements. The CPRA is notable because it gives customers the ability to sue in civil court. In 2022, at least four more states – Virginia, Colorado, Utah, and Connecticut – will likely implement new privacy laws as well.
Finally, cybercrimes are financially lucrative and easier to commit than a bank robbery. Cybercriminals can make a lot of money stealing and selling data or holding it for ransom, especially with easy to deploy Ransomware-as-a-Service (RaaS) business models.
Situational Awareness – The Building Block of Teamwork
The key to creating a collaborative approach to security is going beyond the annual security awareness training. Security leaders need to surpass the compliance checkbox and continually remind people to think about security in their daily activities.
People get busy. They get focused on their work. They stop thinking about security. This makes sense, but it also creates problems.
The key is building a mindset of situational awareness. It’s recognizing surroundings and changing activities accordingly. People pay less attention to their wallets when walking in an empty field than in a crowded city. Digital situational awareness is the same thing. In cybersecurity, situational awareness is about understanding what normal tasks look like and what daily workflows look like so people can recognize events outside of that normal. When people are working on a computer, reading emails, talking on the phone, and interacting with other people, they need to be just a little bit mistrusting and be able to analyze interactions that seem suspicious.
Best Practices for Building Collaborative Cybersecurity
As with everything else in cybersecurity, saying that something needs to happen is a lot easier than making it happen. However, security leaders can build this teamwork mentality by engaging everyone across the organization.
Get Everyone Involved
The first step to creating a collaborative security program is talking to people. Posing these two simple questions to everyone across technology and line of business can give security leaders insight they didn’t have before:
- What are the risks that you see that the company’s not addressing?
- What would you recommend we do to fix that problem?
The first question can provide visibility into new risks. People in different roles see risk differently. New perspectives can shine a light on risks that the security or IT team may not have seen or understood.
The second question helps reduce risk by getting people involved to buy into the implementation and maintenance of the control. When people feel ownership over creating processes, they’re more likely to follow them, whether it’s change management, code commits, QA reviews on the development team, or user access to marketing websites.
Clearly communicating responsibilities to people is fundamental. People need to know the definition of their responsibility from:
- An operational perspective
- An ownership perspective
- A compliance perspective
- A security perspective
Mature companies often have these roles and responsibilities clearly defined. It’s important that organizations create these definitions as soon as possible because waiting until the company “gets big enough to need it” leads to technical debt. In a small company, it’s easier to implement because there are fewer people, then it can iterate as it grows by evolving the roles, definitions, and responsibilities.
Identify Critical Teams and Start There
Identifying a critical team is a good starting point for security leaders who feel overwhelmed. For example, a development company might find its DevOps team and processes are the most critical.
Now, it can:
- Create well-defined roles
- Establish segregation of duties
- Explain responsibilities from operational and compliance perspectives
Engage in Routine Self-Assessment
After implementing controls, it’s important to make sure they’re operating effectively. This usually means implementing routine self-assessments to make sure people are following processes. It also usually includes some form of documentation to prove compliance.
For example, monitoring user access can prove control enforcement after implementing segregation of duties within the DevOps team. Monitoring user access can show holes in processes and potential points of improvement. Having documentation proves that the controls are operating effectively for the compliance team.
Find Security Ambassadors
You can find security ambassadors on any team – both at the technical and line of business levels – to participate in the security program and spread situational awareness within their team. They feel a sense of ownership and care about security.
This is another area where companies often forget that security is about people, not just technology. Not all controls are technical. Security ambassadors can help identify risks and implement controls within their teams. Then, the IT or security team can use technology to document whether the controls are working.
Access management is a perfect example of this. Managers are the ones who best understand their employees’ needs and should define who can access what. The definitions and decisions aren’t technical. The technical aspect is in the setting and monitoring of the access. Many smaller companies use their centralized log management to monitor user access, changes to data, and data exfiltration, all of which prove whether or not the access controls are working.
Security is a Team Sport
Getting everyone on board with security starts by getting the buy-in from technical and non-technical staff. Security starts with people because they’re the ones who use technology. Technology should exist to support them.
For many IT teams, security tools can feel overwhelming. They’re complex and time-consuming. Most teams can’t use all the features and functionalities that would allow them to manage security more effectively.
However, they do know how to use and optimize monitoring and visibility tools and how to share information from them. Finding the right technology that enables people rather than hinders them is the way to communicate successfully so that everyone within the organization understands their role and participates effectively.
About the Author
Jim Nitterauer is the Director of Information Security at Graylog. He holds the CISSP and CISM certifications in addition to a Bachelor of Science degree with a major in biology from Ursinus College and a Master of Science degree with a major in microbiology from the University of Alabama. He is well-versed in ethical hacking and penetration testing techniques and has been involved in technology for more than 25 years. He stays connected with the InfoSec and ethical hacker community and is well-known by his peers. In addition to his work at Graylog, he devotes his time to advancing IT security awareness and investigating novel ways to implement affordable security.