There was a time, not so long ago, when there were only so many ways to accomplish an information technology task. Whether you’re building a website, setting up a new computer, or installing a piece of software, your options are limited – if any. That time has ended.
Now, any type of product or service can be purchased easily and with minimal effort, and often for very little or no price. As circumstances change, professionals must adapt or view their expertise as inappropriate or even detrimental. Information security departments and their consultants need to understand that simply saying “no” is indisputable.
Saying “no” leads to permanent temporary solutions
If you say “no” to an employee who requests to transfer a large file through an alternative because email is not available, the transfer will almost certainly happen, and it will happen through a cloud service. Free cloud is beyond the control of the company. Now, the company’s internal data is likely to be kept forever in a cloud service somewhere in the world – usually in the US – where it can be accessed by third parties. access or trespass. On top of that, no one will have any indication of how much data was exposed, for how long, and by whom. And what is known will gradually fade away, as employees rotate in and out of different departments.
As it has been said: nothing lasts as long as a temporary solution. The same is true for actions taken by employees on their behalf, both before and after the violation.
While security declines the request with a simple gilded “no”, the problem won’t just go away because the business need won’t go away. On the contrary, that little problem could be the smoldering coal that will spark your next security incident. Incident responders will then receive awkward silences instead of answers to their questions, preventing a quick and thorough investigation.
Businesses need clinicians, not protection
So, instead of trying to behave like palace guards trying to enforce our organization’s security policy, we need to behave more like doctors.
We need to better explain why something can’t be done, what kind of risk it can take in the short-term versus the long-term, and most importantly, question why the question is asked. out. That’s the best way to find out what the root cause might be: by asking thoughtful questions in place of the original question and taking notes.
There is no shortage of short-sighted ideas when making decisions. But ignoring the reasons why certain requests were made can have real and potentially dangerous consequences.
So how do we move beyond “no”?
Please reach out
Question is good. And most of the questions come from a good place, trying to achieve something that aligns with the company’s mission. Almost no one gets out of bed in the morning to try to find new ways to make their job or department miserable by actively trying to sabotage it. Most ideas come from a legitimate challenge or observation.
Be aware that not everyone is aware of the threats and potential impact of making certain decisions that could expose a company to an attack or make any successful breach serious and costly. than.
Listen instead of just waiting for the conversation to end, nod in some office courtesy.
Really listen, because companies are far from perfect, and documentation is rarely accurate or complete. Specific knowledge of how things work with your employees. Treat them with respect and listen to them while asking them what their observations are, how a use case can be created from the situation so it doesn’t go away and to see if What can be done to make any changes that need to be made.
Do this before the employee gets demoralized and ends up solving their own problems. Nothing is more destructive than a loyal employee who has stopped asking questions.
Constructive and informative
Ultimately, IT security is all about keeping a company safe from damage – financial loss, operational damage, reputation and brand damage. You’re trying to prevent a situation that not only harms the well-being of the company, but the employees’ well-being. That’s why we need to explain actual threats and how incidents happen.
Explain what steps can be taken to reduce the risk and impact of such incidents occurring and show them how they can be a part of it. People love to learn new things, especially if it relates to their day job.
Interpretation of tradeoffs is being worked on, at least in high-level terms. Explain how quick convenience, such as running the machine as administrator, can lead to abuse. Not only will companies appreciate you for your honesty, but they will have the right answer the next time the question is asked. They will think about constraints and find new ways to add value to the business, while removing elements from their day-to-day work that can lead to fewer incidents.
Classy with your colleagues
Everyone has an area of expertise and we should respect each other’s work and responsibilities, but people are people, computers and privacy policies enforce a certain way of thinking and acting. may lead to power struggles between individuals or departments.
No one wants to sit in the middle of tennis matches of this kind of hellish encounters. So keep discussions fact-based and try to keep emotions and stigma as low as possible. At the end of the day, everyone should work towards the same goals. Trying to blow out a part’s candles doesn’t make your candles brighter.
Respect company culture
Trusting your employees is important and an important part of anyone’s job. It is impossible to work in a team without it. However, trust is not a security model and it certainly doesn’t scale. Any steps taken to ensure that employees and their work, data and end customers are under control, they must consider the company’s culture.
A company’s culture is not grounded and must grow with its employees and current zealots. Understanding where the company stands when it comes to making decisions regarding cybersecurity will make everyone’s life easier.
The best security is invisible, not noticeable. But that needs to be accompanied by an understanding and realization that just because you don’t face a particular threat, doesn’t mean it’s not there.