Why cyber security can’t just say “no“
There was a time, not long ago, when there were only so many ways of accomplishing an information technology task. Whether you were building a website, setting up a new computer, or installing a piece of software, your options were limited — if there were any options at all. That time is over.
Now, any kind of product or service can be acquired easily and with minimal effort, and usually for a very low or no price. When circumstances change, experts must adapt or watch their expertise become irrelevant or even detrimental. Information security departments, and the consultants who advise them, need to understand that just saying “no” should be off the table.
Saying “no” leads to permanent temporary solutions
If you say “no” to an employee asking to transfer a large file via an alternative solution because email can’t be used, the transfer will almost certainly still happen, and it will happen through a free cloud service outside of the company’s control. Now internal company data will potentially be kept forever in a cloud service somewhere in the world — usually in the United States — where it can be potentially accessed or compromised by third parties. On top of that, no one will have any indication how much data has been exposed, for how long and by whom. And what was known will slowly erode, as employees cycle in and out of various departments.
As the saying goes: nothing is as permanent as a temporary solution. This is just as true for actions taken by employees on their own behalf, both before and after a breach.
While the security department refuses a request with a simple gold-plated “no”, the problem won’t just go away because the business need won’t just go away. On the contrary, that slight problem might be the smoldering ember that will spark your next security incident. Then incident responders will get awkward silences instead of answers to their questions, preventing a quick, thorough investigation.
Businesses need clinicians, not guards
So rather than trying to behave like palace guards trying to enforce the security policy of the organization, we need to behave more like doctors.
We need to be better at explaining why something is not possible, what kind of risk it might entail in the short versus long term and, most importantly, ask why the question was asked. That’s the best way to find out what the root cause might be: by asking thoughtful questions in return of the original question and taking notes.
There is no shortage of short-sighted ideas when it comes to decision-making. But ignoring the reasons why certain requests have been made might have real and potentially dangerous consequences.
So how do we get beyond “no”?
Questions are good. And most questions come from a good place, trying to achieve something aligned with the company’s mission. Almost no one gets out of bed in the morning trying to find new ways of making their own job or department miserable by trying to actively sabotage it. Most ideas come from a legitimate challenge or observation.
Be aware that not everyone knows about the threats and potential impact of making certain decisions that might open the company up for attack or make any successful breach more severe and expensive.
Listen instead of just waiting for the conversation to be over, nodding your head out of some sort of office courtesy.
Really listen, because companies are far from perfect, and documentation is rarely correct or complete. The concrete knowledge about how things work lives with your employees. Treat them with respect and listen to them while asking what they are basing their observations on, how a use case can be made from the situation so it does not disappear, and to see what can be done to make whatever changes need to be made.
Do this before the employees get demoralized and eventually take matters into their own hands. There is nothing as potentially destructive as a loyal employee who has stopped asking questions.
Be constructive and informative
Ultimately, IT security is all about keeping the company safe from damages — financial damages, operational damages, reputational and brand damages. You’re trying to prevent a situation that not only will harm the company’s well-being, but also that of its employees. That is why we need to explain the actual threats and how incidents occur.
Explain what steps can be taken to lower the chances and impact of those incidents occurring and show them how they can be part of that. People love learning new things, especially if it has something to do with their daily work.
Explain the tradeoffs that are being made, at least in high-level terms. Explain how quickly convenience, such as running a machine as an administrator, can lead to abuse. Not only will the companies appreciate you for your honesty, but they will have the right answer the next time the question comes up. They’ll think along the constraints and find new ways of adding value to the business, while removing factors from their daily work that might result in one less incident down the line.
Level with your colleagues
Everyone has a domain of expertise, and we should respect each other’s work and responsibility, but human beings are human beings, and computers and security policies do enforce a certain way of thinking and acting which can result in power play between individuals or departments.
No one wants to sit in the middle of these kinds of tennis matches of hell meetings. So, keep the discussions facts based and try to keep emotions and stigma to the lowest level possible. At the end of the day everyone should work towards the same goals. Trying to blow out the candles of one department does not make your candles shine brighter.
Respect the company culture
Trusting your employees is important and a vital part of anyone’s work. Being able to work as a team would not be possible without it. Still, trust is not a security model and it certainly does not scale. Whatever steps are taken to ensure that employees and their work, data and end-customers are kept under control, they must consider the company’s culture.
A company’s culture is not set in stone and must evolve along with its employees and the current zeitgeist. Understanding where a company is at when making a cyber security-related decision will make everyone’s life easier.
The best security is invisible, unnoticeable. But that needs to come with the understanding and awareness that just because you aren’t confronted with a particular threat, doesn’t mean it is not there