As someone with responsibility over both marketing and security teams, I've noticed some remarkable parallels between the two. The relationship that feels particularly pertinent today is the idea that every employee is responsible for security, not just the IT/security organization.
Rewind to the early 2000s, and accountability for a brand's reputation lay squarely with the marketing department. The most effective ways to shape public perception were through traditional means, using advertising and corporate PR campaigns. Fast forward a decade and everything has changed. With social media accounts and an always-on communications sphere, suddenly every employee has the power to cause a brand crisis and send share prices tumbling. Marketing has had to adjust fast, and there are now all kinds of technologies and processes that significantly reduce reputational risk while empowering employees to avoid disasters and actively become advocates for the brand.
What does this have to do with security? Well, there's a familiar trend taking place in this space, too.
The Good Old Days
One of the issues facing security leaders over the past few years has been the almost overwhelming growth of attack vectors. Even a decade ago, the vast majority of employees sat behind desks using Windows computers inside corporate offices, accessing corporate data over Ethernet cables into a protected intranet. Smartphones were just starting to make inroads, but business apps were limited in number and functionality, and 4G was in its infancy. IT and security teams were almost exclusively responsible for managing the risk of a cybersecurity crisis — just like with marketing and PR crises.
Today's workplace is almost unrecognizable. More employees than ever access corporate data via mobile devices, outside the traditional corporate environment and using an incredibly diverse array of corporate-issued and their own devices running on Windows, macOS, iOS, and Android. There's also a wider variety of network connections, from cellular LTE to home or public Wi-Fi hotspots. 5G and Wi-Fi 6 are both ready to make a bigger splash, too. Developing a robust security strategy that intelligently accommodates these sweeping shifts has been a challenge for many in the industry.
The Front Line Has Shifted
Examining the situation a little closer can help provide answers. Given the shift toward mobile-centric, perimeter-free working environments, the days when security could totally isolate and protect employees, effectively keeping them inside a secure bubble, are long gone. As LTE connectivity has improved, mobile workers are now at the forefront of external threats. The traditional perimeter is dead.
And that's the key point. IT and security roles have changed, just as the role of mobile employees has shifted. It's time to radically rethink the way we perceive our employees. They are our troops and our front line of defense. They are ambassadors for the security of the organization, in the same way that they're ambassadors for the brand.
That's not to say that mobile employees are totally prepared. Humans are often the weakest link when it comes to cybersecurity, and that's why hackers focus on them as soft targets.
Walking a Fine Line
What needs to change? Locking down mobile devices with strict policies that don't consider workflow can frustrate employees. This kind of authoritarian attitude toward what mobile workers can and cannot do unfortunately leads to many unforeseen consequences, not the least of which is shadow IT and internal friction. Even more worrying is the potential loss of productivity and the increase in worker frustration. Employees must be seen as allies in the fight against threats, not antagonists — winning hearts and minds internally has never been more important.
The alternative, preferred philosophy is to empower employees. Ask them what tools and applications they need. Figure out how much "freedom" they require in order to be productive and get their jobs done. Introduce reasonable content controls that prioritize work-related applications but allow non-work-related ones too — policies that can be applied to any device using any network. Implement sensible password and authentication controls that work for their purposes, such as single sign-on or multifactor authentication — and make sure the impact on employee experience is as small as possible. Establish security policies that take context into account whenever possible; apply them lightly when conditions are low-risk, and heavily when they're not.
The critically important step in this process is to educate and re-educate workers so that they can be trusted to identify and avoid common pitfalls and risks. Train them to recognize phishing emails and text messages. Teach them how to recognize an insecure Wi-Fi hotspot. And give them tools that help them understand risk, react to situations, and escalate concerns. The best security is almost invisible to end users — it becomes something they feel personally responsible for rather than something imposed upon them that they find ways to tolerate or circumvent.
Security Is Everyone's Responsibility
It's undeniable that the work environment has changed for most workers today and security must find new ways to accommodate them. Yes, workers are possibly the biggest security risk to your organization, especially when they increasingly use devices and networks beyond your control. Those same workers are the biggest reputational risk to your organization, even more so now that they are able to post about — and in some cases on behalf of — the company on social media and elsewhere.
The reaction from marketing to these changes was to find new ways of educating, equipping, and empowering employees to avoid disasters and to endorse and amplify the brand online. Security leaders can learn a lot from this approach.
Employees can no longer be pawns who need protecting. They must become partners in the battle against threats. With the right technologies, policies and training, workers will take on more responsibility in identifying and preventing potential threats in this new mobile-first, perimeter-free workplace. And it's your job to help them get there.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."