In this article, we are shifting away from covering the fundamentals to delve into a more often overlooked dimension of cybersecurity. Most discussions around business security revolve around offering technical solutions to security problems. While it’s true that technical solutions play a vital role, fixating solely on them neglects a foundational component of any company: its people. An organization is an intricate tapestry of individuals organized into departments. The collective work produced by those groups of individuals makes up the company’s core. The day-to-day activities of these individuals define and shape the company’s overall output. Hence, dismissing the people aspect from your security strategy leaves a massive hole in your security strategy. In this article, we will emphasize the importance of people and highlight key relationships and mutual benefits for all parties.
Importance of People
Recognizing the pivotal role that people play in the realm of cybersecurity is essential. Employees are often regarded as the weakest link in cybersecurity, but they are the business’s lifeblood. From executive leadership developing strategic roadmaps to employees executing those plans, every individual’s actions can have a cascading effect on the company’s security posture. This strategy should not only revolve around preventing breaches alone but also developing a culture of security awareness and vigilance throughout the business.
The Obvious – Empowerment through Education
Humans are one of the top targets for cyber attacks when targeting a business. For instance, phishing and social engineering attacks regularly exploit known human vulnerabilities through manipulation, stress, and deception. Those human vulnerabilities are obvious examples of how people must play a crucial role in your security strategy. Organizations can effectively limit many cyber threats before they escalate by empowering employees through proper training and education to recognize the signs of such attacks.
Invest in continuous education and training programs that include technical aspects and psychological tactics cybercriminals use to perform their attacks. Invest in having regular workshops, simulations of real-world attacks, and gamification of the learning process to increase engagement and the effectiveness of your awareness program. Recognize and reward good security-conscious behavior regularly and correct with positive reinforcement instances where we people could do better.
The Less Obvious – Destroy the Silo
Organizations must avoid creating a siloed approach to cybersecurity. The security team is tasked with protecting the company while all other departments continue their regular operations, seemingly detached from security concerns. This approach needs to be revised on multiple levels.
Cybersecurity is not a solo act; it’s a complete, continuous ensemble performance where every department and every employee has a role to play. Communication and collaboration between departments are essential to the holistic security strategy.
If the security team alone works 24 hours a day, 7 days a week, it would not be enough to protect the business.
This statement has always been at the top of my mind, reiterating that if the security team works at full power and efficiency. It would never be enough to reach the required security maturity to protect the business effectively. Security should be woven into the fabric of every process and every decision. Hence, ensuring it is part of every department and business unit is essential, making security an integral part of the company’s DNA and highlighting the importance of fostering good relationships and creating win-win situations; the security team can ensure that everyone is working together towards a common goal.
In the following sections, we will review the key relationships you must consider in your security strategy and how to establish win-win situations to strengthen the relationship further. It is important to note that those departments do not necessarily exist in every company and business model and are merely examples of how the security strategy can be expanded.
Human Resources and People Operations
The People Operations (PeopleOps) teams, more commonly called Human Resources (HR), are responsible for hiring and managing employee development and policy enforcement across the organization. PeopleOps plays a pivotal role in the onboarding, day-to-day activities, and off-boarding of employees. Referring back to the Cyber Risk Map, where we listed many of the risks an organization may face, many are associated with employees. Risks include employees causing intentional and unintentional malicious actions, unauthorized use of resources, or falling prey to phishing & social engineering. Proper onboarding processes, including practical security training, contractual obligations such as an NDA, and adequate background checks & reference checks, can mitigate those risks. The risks also continue to exist after the employees are off-boarded; hence, it is essential to have appropriate off-boarding processes as well, including reminding departing employees of NDA obligations, ensuring all company assets are returned, and triggering the internal processes for tool and access deprovisioning.
Maintaining a collaborative relationship with PeopleOps is essential. Security teams can mutually benefit PeopleOps teams by developing the Learning and development programs with additional security content and budget, taking part in company-led initiatives and awareness programs, incident & disaster response planning, supporting the enforcement of company policies, and onboarding and off-boarding of employees.
Finance
The finance team is responsible for everything related to the financial matters within the company. Achieving their objectives requires high visibility and order across the company, especially regarding expenditures related to tools, cloud infrastructure, and company assets.
Maintaining a strong partnership with the finance department is indispensable and offers many mutual benefits. Finance can support security initiatives by allocating the required budgets and resources. Also, finance can help serve as a guardian against shadow IT, where tools, projects, or initiatives are launched without going through proper security risk assessments, threat models, or reviews. This risk can be significantly mitigated by having the finance procedures mandate that projects or tools would only receive budget approvals after undergoing thorough security evaluations. Conversely, finance teams can mutually benefit from security teams by gaining the visibility they require through shared inventories, as covered in our last article, The Power of an Inventory. Additionally, security teams can support cost-cutting initiatives by ensuring the deletion of unused resources, data stores, servers, and even licenses and seats that are no longer required.
Legal
The legal department ensures the company complies with all relevant laws and regulations, especially in data protection and privacy. Collaborating closely with the legal team is essential to navigate the complex legal landscape surrounding cybersecurity.
Legal teams can provide valuable insights into data retention policies, disclosure requirements in case of a data breach, and the legal implications of various cybersecurity strategies. They can also assist in drafting and reviewing contracts with third-party vendors, ensuring that security clauses are included to protect the company’s interests.
Security teams, in turn, can assist the legal department by providing evidence of security measures in place, helping with incident response plans, and ensuring that data breach notifications are executed promptly and compliant.
Engineering
The engineering department is responsible for developing and maintaining the company’s products and services, contributing to considerable cyber risks. Strong collaboration between engineering and security teams is crucial to embedding security into the software development lifecycle, ensuring that security is embedded into these products and services. Security teams can support engineering by shifting security left, providing secure coding guidelines, conducting code reviews, and offering training on secure development practices. They can also assist in threat modeling exercises to identify potential vulnerabilities early in development, where introducing the needed changes is easier and cheaper.
IT
The Information Technology (IT) department manages the company’s technology infrastructure. They manage office networks, servers, and endpoints, making them a crucial partner in your cybersecurity strategy. Collaboration between security and IT teams is essential for aligning technical solutions with security objectives. Security teams can rely on IT teams to implement security tools such as MDM and anti-malware solutions, maintain the office network and firewalls, and patch & vulnerability management, all essential controls for mitigating security risks associated with company assets such as devices and physical offices. Security can support IT teams by providing security guidance and best practices, helping implement robust, secure baselines and configurations for networks and firewalls, and aiding with vulnerability management and patching.
Sales
Sales are responsible for selling the company’s products and services. Establishing a solid working relationship between security and sales can benefit both parties. Sales and success teams can ensure that customers know the security features of the company’s products and services, which can help build trust and confidence. Sales teams, in turn, can provide valuable insights into customers’ security requirements and expectations, which can help develop the security strategy and roadmap and link the security initiatives to the company selling and revenue generation, which can help accelerate such security initiatives with executive support, additional resources, and budget.
Wrapping It All Up
In conclusion, it’s essential to think of your cybersecurity strategy beyond mere technical solutions but instead to take a holistic approach that incorporates the human element within the organization. It is necessary to break down the silo and develop relationships where communication, collaboration, and shared responsibility are the keys to success. These partnerships can yield mutual benefits, enhancing security while supporting the core objectives of each department. By embracing this holistic approach, companies can ensure that security is not merely a department’s concern but an integral part of their DNA, woven into every process and decision. Through such unity, businesses can safeguard their digital assets and thrive in an increasingly complex cybersecurity landscape.