In any organization, you can find employees who hold this state of mind — a passive mindset with defined separation between security and themselves. The work from home strategy during the pandemic has meant that organizations quickly ramp up their cybersecurity efforts.
However, in today’s threat landscape, those employees’ thinking endangers your organization to all sorts of security risks. Employees from the janitor right up to the CEO must be cognizant that cybersecurity is now everybody’s responsibility.
“Cybersecurity is not my job.”
Just like the healthcare of a society should not be a "doctors-only" job, security should be part of all job descriptions in an organization. Having good TAC - Trust, Accountability, and Culture - is like having a good immune system for your body. There will be less of a need to visit a doctor (security professional).
The security team should not be alone in a company. As a security architect, I understand three pillars (Trust, Accountability, and Culture) in cybersecurity that you can adopt to enhance the PPT defense (People, Process, and Technology).
T — Trust, not as Weaknesses but as Empowerment
To makes things right, we need to integrate the trust element into the entire remote platform and ensure the trust is not compromised in every job description. Considering people as the weakest link in the PPT framework, it is important to implement the “Zero-trust model.”
Trust, on the other hand, can be a two-way street. Security Professionals understand that user behavior is one of the biggest attack vectors. However, with the right approach (like what I will discuss later), end-users can become the defense's biggest contributors.
The Good Side
Security protocols are not easy for all; that’s why we have our jobs. But it doesn’t mean that we can act like we are at the top when talking about security. Trust requires two parties to be equal. Thus, if you want employees to trust the security safeguards that can protect them from hacking, you need to trust them first.
Our goal is to empower colleagues to make effective and wise decisions. Listen to them before the implementation of security solutions should be considered. As I said before, if you continually try to increase the system's security level, it will not work. Why? It is because no one wants to go in and out to work in the maximum-security prison every day.
This means guiding them to promote their flexibility in daily operations and trusting them to work alongside security, not against it. You don’t want users to find a work-around to bypass the security measures. Meanwhile, users do not want to put in an extra effort merely to complete all the security checks.
What can we do with trust to secure remote work?
Let say an employee is allowed to work from home for a period and he logs in from one external location consistently from his home address. The first-time login could be a combination of multifactor authentication and activity monitoring for IAAA purposes.
But later on, the authentication process could “step down” to simplify his/ her daily workflow. That user would be under supervision, but he can focus on his work instead of remembering various login secrets.
Moreover, let employees know that they are a key part of the security can help them be more actively participating in security programs. Building trust between the security team and users is key in reducing the friction in security and productivity.
A — Accountability is Not Only About Punishment
When I talk about accountability with customers, “playing the blame game” is often their first response. This is understandable as they think about when things go wrong. The truth is, we do not handle disasters every day. Rather, in daily operation, accountability is key to shared responsibility in the security plan.
Feedback is All You Need to Care About
The key to success is focusing on user behavior rather than the consequences if something happened. Accountability act as the guidepost for different actions. It is the output of predicted behaviors and the reminder of responsibility.
Accountability could be the tool of feedback on the actions they have taken to change their behaviors. Users change their actions to get favored feedback. Negative feedback can prevent bad things from happening. In contrast, positive feedback encourages good behaviors.
If users understand the benefits of reporting abnormal activities, they will do it more frequently. But what if the trust is missing between users and top management?
Using accountability for behavior change, we can offer:
- Positive feedback —provide rewards if a real threat is identified.
- Negative feedback — ensure users know the responsibility if they don’t report, and something did happen.
Do You Want to Play a Game?
Gamified accountability is also a great idea to promote accountability and responsibility. Using gamification as part of a security program design can be a piece of cake and huge benefits. What gets measured gets done.
A better user experience also drives better engagement in security duties. Like RPG, there are levels, upgrade, badges that users can get by doing the right things. This not only provides real-time feedback to users but also visualize the achievement among peers.
By implementing gamified accountability, employees will be able to understand better how risks connect to their duties. It also anticipates them as they get on with their daily tasks.
There are now gamification platforms available for training and user education purposes. This kind of technology can also provide real-time feedback that instantly reminds users to complete tasks or stop doing something that is not allowed.
A set of good behaviors can become an exceptional security habit. Ultimately these become patterns of diverse users and form good cybersecurity culture.
C — Culture Promotes Participation
For me, a strong cybersecurity culture includes an explanation to users of the reasons behind the actions, instead of simply telling them what to do all the time. Almost every company requires users to change their passwords regularly.
Not every employee understands the benefits of such behavior. Apart from being equal when promoting new security measures, it would be of great value if security is more interesting, relevant, and engaging to them.
In my philosophy, knowing purposes is the root of success. That is why, in cybersecurity culture, one goal is to promote overall awareness. Technology is one piece, but it is equally important to enhance employees' awareness and share why it is beneficial to follow the best practices.
Make the Most Out of Awareness Training
Awareness training could be one way to achieve that, but the focus should be WHY and HOW. In that way, users can create repeatable patterns of behaviors that become part of its norm.
Mindset Matters
Cybersecurity Hygiene is another example of how to cultivate a strong security culture. Previously I used the analogy of washing hands to compare with minimizing attack vectors in the concept of cybersecurity hygiene.
Another key element of nurturing a security culture is to have a security mindset in place. If receptionists can understand the concept of “piggybacking,” there is a lower chance that a stranger can walk into the office building without question.
Developers voluntarily upload their source code to security scanning before launch (shift-left security) could considerably reduce the problems' succeeding stages.
Lastly, regular sharing of information about the dynamic threats environment could foster the establishment and reinforcement of strong security culture, especially in this transformation of the remote workforce.
Final Words
It is not up to IT to be ready for a remote workforce due to the pandemic. Companies need to ramp up their cybersecurity ASAP. But securing the company’s properties should not be the responsibility of the tech team alone.
Let's take a final look at the TAC framework:
- Trust — Not as a weakness but empowering users to make effective decisions on daily operations.
- Accountability — A way to provide feedback to users with the focus on good security habit
- Culture — A better hygiene, more engaged environment could considerably reduce the avoidable incidents.
We should promote the idea of health maintenance, in which taking care of your body is an everyday job, just like brushing our teeth twice a day to maintain oral health.
Security should be the same. It is an everyday job for every job description. These three pillars are equally valuable. Each of them can reinforce the others. Better accountability can promote a strong culture; culture can help build trust with the security team.
Knowing the escalation path may not work if the trust is absent; building an open environment helps. With suitable accountability in place, creating security habit become possible. And finally, a cybersecurity culture could be developed.
Friction-less security is security with good cooperation, which makes it part of every job description. Creating a strong cybersecurity culture implies that they will voice it out if someone sees something unfamiliar or exceptional. It also means they know who to contact to report or discuss when encountering security problems.
Thank you for reading—happy learning and executing TAC.
Originally published at https://medium.com/technology-hits/cybersecurity-is-not-only-about-tech-but-tac-67d973061a04