In any organization, you can find employees who hold this state of mind — a passive mindset with defined separation between security and themselves. The work from home strategy during the pandemic has meant that organizations . quickly ramp up their cybersecurity efforts However, in today’s threat landscape, those employees’ thinking endangers your organization to all sorts of security risks. Employees from the janitor right up to the CEO must be cognizant that cybersecurity is now everybody’s responsibility. “Cybersecurity is not my job.” Just like the healthcare of a society should not be a "doctors-only" job, security should be part of all job descriptions in an organization. Having good TAC - Trust, Accountability, and Culture - is . There will be less of a need to visit a doctor (security professional). like having a good immune system for your body The security team should not be alone in a company. As a security architect, I understand (Trust, Accountability, and Culture) in cybersecurity that you can adopt to enhance the PPT defense . three pillars (People, Process, and Technology) T — Trust, not as Weaknesses but as Empowerment To makes things right, we need to integrate the trust element into the entire remote platform and ensure the trust is not compromised in every job description. Considering people as the weakest link in the PPT framework, it is important to implement the “ Zero-trust model .” Trust, on the other hand, can be a two-way street. Security Professionals understand that user behavior is one of the biggest attack vectors. However, with the right approach (like what I will discuss later), end-users can become the defense's biggest contributors. The Good Side that’s why we have our jobs. But it doesn’t mean that we can act like we are at the top when talking about security. Thus, if you want employees to trust the security safeguards that can protect them from hacking, you need to trust them first. Security protocols are not easy for all; Trust requires two parties to be equal. Our goal is to empower colleagues to make effective and wise decisions. Listen to them before the implementation of security solutions should be considered. As I said before, if you continually try to increase the system's security level, it will not work. Why? It is because no one wants to go in and out to work in the maximum-security prison every day. This means You don’t want users to find a work-around to bypass the security measures. Meanwhile, users do not want to put in an extra effort merely to complete all the security checks. guiding them to promote their flexibility in daily operations and trusting them to work alongside security, not against it. What can we do with trust to secure remote work? Let say an employee is allowed to work from home for a period and he logs in from one external location consistently from his home address. The first-time login could be a combination of multifactor authentication and activity monitoring for IAAA purposes. But later on, the authentication process could “step down” to simplify his/ her daily workflow. That user would be under supervision, but he can focus on his work instead of remembering various login secrets. Moreover, let employees know that they are a key part of the security can help them be more actively participating in security programs. Building trust between the security team and users is key in reducing the friction in security and productivity. A — Accountability is Not Only About Punishment When I talk about accountability with customers, “playing the blame game” is often their first response. This is understandable as they think about when things go wrong. The truth is, we do not handle disasters every day. Rather, in daily operation, accountability is key to shared responsibility in the security plan. Feedback is All You Need to Care About rather than the consequences if something happened. Accountability act as the guidepost for different actions. It is the output of predicted behaviors and the reminder of responsibility. The key to success is focusing on user behavior Accountability could be the tool of feedback on the actions they have taken to change their behaviors. Negative feedback can prevent bad things from happening. In contrast, positive feedback encourages good behaviors. Users change their actions to get favored feedback. If users understand the benefits of reporting abnormal activities, they will do it more frequently. But what if the trust is missing between users and top management? Using accountability for behavior change, we can offer: —provide rewards if a real threat is identified. Positive feedback — ensure users know the responsibility if they don’t report, and something did happen. Negative feedback Do You Want to Play a Game? is also a great idea to promote accountability and responsibility. Using gamification as part of a security program design can be a piece of cake and huge benefits. What gets measured gets done. Gamified accountability A better user experience also drives better engagement in security duties. Like RPG, there are levels, upgrade, badges that users can get by doing the right things. This not only provides real-time feedback to users but also visualize the achievement among peers. By implementing gamified accountability, employees will be able to understand better how risks connect to their duties. It also anticipates them as they get on with their daily tasks. There are now gamification platforms available for training and user education purposes. This kind of technology can also provide real-time feedback that instantly reminds users to complete tasks or stop doing something that is not allowed. Ultimately these become patterns of diverse users and form good cybersecurity culture. A set of good behaviors can become an exceptional security habit. C — Culture Promotes Participation For me, a strong cybersecurity culture includes an Almost every company requires users to change their passwords regularly. explanation to users of the reasons behind the actions, instead of simply telling them what to do all the time. Not every employee understands the benefits of such behavior. Apart from being equal when promoting new security measures, it would be of great value if security is more interesting, relevant, and engaging to them. In my philosophy, That is why, in cybersecurity culture, one goal is to promote overall awareness. Technology is one piece, but it is equally important to enhance employees' awareness and share why it is beneficial to follow the best practices. knowing purposes is the root of success. Make the Most Out of Awareness Training Awareness training could be one way to achieve that, but . In that way, users can create repeatable patterns of behaviors that become part of its norm. the focus should be WHY and HOW Mindset Matters is another example of how to cultivate a strong security culture. Previously I used the analogy of washing hands to compare with minimizing attack vectors in the concept of cybersecurity hygiene. Cybersecurity Hygiene Another key element of nurturing a security culture is . If receptionists can understand the concept of “piggybacking,” there is a lower chance that a stranger can walk into the office building without question. to have a security mindset in place Developers voluntarily upload their source code to security scanning before launch (shift-left security) could considerably reduce the problems' succeeding stages. Lastly, could foster the establishment and reinforcement of strong security culture, especially in this transformation of the remote workforce. regular sharing of information about the dynamic threats environment Final Words It is not up to IT to be ready for a remote workforce due to the pandemic. Companies need to ramp up their cybersecurity ASAP. But securing the company’s properties should not be the responsibility of the tech team alone. Let's take a final look at the TAC framework: — Not as a weakness but empowering users to make effective decisions on daily operations. Trust — A way to provide feedback to users with the focus on good security habit Accountability — A better hygiene, more engaged environment could considerably reduce the avoidable incidents. Culture We should promote , in which taking care of your body is an everyday job, just like brushing our teeth twice a day to maintain oral health. the idea of health maintenance Security should be the same. It is an everyday job for every job description. These three pillars are equally valuable. Each of them can reinforce the others. Better accountability can promote a strong culture; culture can help build trust with the security team. Knowing the escalation path may not work if the trust is absent; building an open environment helps. With suitable accountability in place, creating security habit become possible. And finally, a cybersecurity culture could be developed. Creating a strong cybersecurity culture implies that they will voice it out if someone sees something unfamiliar or exceptional. It also means they know who to contact to report or discuss when encountering security problems. Friction-less security is security with good cooperation, which makes it part of every job description. Thank you for reading—happy learning and executing TAC. Originally published at https://medium.com/technology-hits/cybersecurity-is-not-only-about-tech-but-tac-67d973061a04

Alongside

Instantly

Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.

Corporate Cybersecurity Should Include Trust, Accountability, and Culture

Too Long; Didn't Read

Companies Mentioned

Zen Chan

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...