As Highspot’s Chief Security Officer, I believe security begins with people. Safeguarding information and data is essential, but doing so is only one cog in the wheel of an organization’s security.
Everyday decision-making and processes across roles and functions have the power to bolster a company’s resilience or result in challenging incidents. As security professionals, it’s our responsibility to not only set up the necessary operations to mitigate risk, but also to establish a culture of security where employees feel informed, supported, and empowered to play their essential role in security.
In today’s increasingly interconnected world, security’s job has never been more important. Here are ways we’re thinking about security at Highspot, and steps you can take to proactively take to uplevel security at your own organization.
CREATING A CULTURE OF SECURITY
Security professionals are not omnipresent (as much as we would like to be). No matter how big your security team becomes, it will be impossible to ensure nobody is tailgated, no phishing email links are clicked, employees avoid divulging sensitive information when answering the phone, and that risk awareness is part of the myriad of daily decisions that everyone in the company makes. If you’re not leveraging everyone at your organization to think about security, then you have untapped capacity waiting to be unleashed.
Engaging your company as a whole starts with building relationships. The security team should not be seen — or worse, feared — as an impediment or a blocker, but rather a collaborative partner. Employees should know that the team is there to help them achieve their ambitions in a better, safer way. Through team introductions, transparent updates on initiatives, and training designed to help employees understand the complex nature of security and the important role they play, you can weave the common thread of security awareness throughout the company.
At the end of the day, establishing a culture of security is something that every company should do, but many companies don’t even attempt. It takes consistent effort to make incremental changes that happen over time, not overnight. The benefits are well worth the undertaking, however, because a security-first culture makes for a security-first company.
REALIZING BUSINESS IMPACT WITH SECURITY INITIATIVES
The safest company is one that doesn’t have any employees or any customers — but, of course, that’s not much of a company. Risk is inevitable and a necessary part of everything we do. Business impact comes from managing potential risk, minimizing consequences, and maintaining capacity to make strategic bets and manage more risk when that risk is understood.
How can your security organization both protect your company and enable your teams to make better business decisions? Start by ensuring that these fundamental pieces are part of your program.
Implement the Principle of Least Privilege
Least privilege is the practice of limiting access rights for users or entities to the bare minimum of permissions they need to perform their work. By ensuring that every employee and every piece of software has only enough permission to do their jobs — nothing more, nothing less — you can mitigate unknown risks.
For example, in the case that an employee account is compromised, impact is significantly reduced if that person only has access to the two systems that are part of their job function. The concept holds true for devices and systems: if a machine only has permission to access two resources required for the software deployed to it, a hacker is greatly limited in the damage they can do should it be taken over. And if a vulnerable web service does not have access to a customer database, it cannot leak sensitive customer data when an adversary exploits an injection attack.
A successful compromise of an organization involves a series of steps, exploiting weaknesses and vulnerabilities at each point, building a chain of attacks to achieve an end goal. Because access limits how effectively an attacker can build the next link, a least privilege security model is an important way to proactively prepare for risks you can’t anticipate.
Scale Your Team — Without Hiring
The demand for security professionals has never been higher, far outstripping supply. In recent years, companies across nearly every industry have begun to understand that they face a myriad of security risks from the technology they have deployed in every part of their organization. These experts are hard to find, and they’re expensive. Consequently, any strategy that relies on hiring people into security jobs to solve problems is likely not going to be successful.
Instead, security leaders need to magnify the impact of each security person to enable all employees. One effective way to do this is finding the security-inclined employees in your company. These individuals sit on various teams across the company, but they have security-oriented minds and a knack for poking holes in things. Empower these people to share problems, and let them know they have the backing of the security team to drive initiatives home. By enabling them to be effective identifiers and mitigators of risk, you will have security representatives across the organization.
In addition, to drive understanding across the breadth of your company, implement real and effective training programs that help all employees flex their security muscles and learn how to wear a security hat from time to time. Often training done as a compliance requirement is created to check the box. Engaging training encourages individuals to consider risks they see and how they manage them. Games and competitions can give people a chance to play with security as they get to know it — how many employees can spot the five phishing emails in this list?
Expand Impact with Automation, Technology, and Thinking
Given the difficulty in hiring top security talent, scaling your team’s capabilities should hinge not on hiring more heads, but on automation, best of breed technology, and innovative thinking.
A key first step is to reduce human time and effort where a machine can get the bulk of the job done. Creating invariants is often something that may require complex automation but provides an excellent return. You may have a policy that only certain machines in your cloud provider are allowed to be reachable from the internet. Rather than engaging all of your teams to make sure they follow the policy, automate it to make it essentially impossible to do in the first place. If you have policies to patch machines, encrypt thumb drives, or prevent passwords and keys being checked into source control, automate them all. Go one step further and automate static and dynamic analysis, where your tooling — not your people — can provide information on gaps and weaknesses directly to your developers. There will always be a need for human touch; keep these touches focused on providing leveraged value. Very rarely does this mean walking another team through the same thing they’ve done a dozen times before.
Innovative technology and frameworks also play a critical role in expanding your security team’s impact. The pace of technological change seems to only increase. And with it, the way to secure environments can change too. Independent authentication systems on lots of systems yielded to centralized authentication like Active Directory, only to change again to federated identity like SSO.
The best teams look to breakthrough tools and frameworks — ideas that transform the way that security is done. NIST’s Cybersecurity Framework has changed the scope of what a security program encompasses to be truly holistic. And commodity mandatory access control, like SELinux or AppArmor, provide revolutionary protection and detection. There may be a steep learning curve to some best-of-breed technologies, but the upfront work pays dividends in the long-term.
BUILDING FOR A SECURE FUTURE
Building for security is foundational to company success — and building goes beyond hardening a system and writing a policy. A truly secure organization is one where everyone is committed to keeping security at the core of the product, systems, processes, and culture.