If you would like to read the other parts in this article series please go to:
- Security: A Shared Responsibility (Part 1)
- Security: A Shared Responsibility (Part 2)
- Security: A Shared Responsibility (Part 4)
- Security: A Shared Responsibility (Part 5)
- Security: A Shared Responsibility (Part 6)
Introduction
In this multi-part series, we’re taking a look at the big picture of security areas of responsibility and how each component (internal job position or external entity) fits into the puzzle, with a discussion of the importance of defined areas of responsibility. In the first article of the series, we looked closely at the role of the CSO or CISO, at the top of the IT security structure. In Part 2, we continued the discussion with an examination of the security role(s) of IT administrators, and then we talked about the responsibilities of outside contractors, consultants and partners to whom you grant access to some or all of your IT resources.
Make end users part of the security team
All too often, in too many organizations, it seems as if the roles of IT admin and end user are adversarial relationships. In no area is that more true than when it comes to security. It makes sense, because the objectives and priorities of the two are about as far apart as you can get.
End users are concerned with getting their work done. And let’s be completely honest here, they also want to be able to do a little personal computing on the side, during their breaks or lunch time or before and after “on the clock” work hours. What that all comes down to is that users want access.
They want to be able to access the internal company resources that are necessary to do their jobs. They want to be able to access web resources that they need to research work issues. They want to be able to interact freely with vendors, partners, clients and other work-related communications outside of the local network. And yes, they want to access Facebook, Twitter, their personal email accounts, their personal cloud storage accounts, and their favorite web sites – whether that’s the knitting club site or the drag racing site or the chess site or just a news or weather site.
IT admins and security pros are concerned with keeping the network safe and protecting the company’s resources and data. In order to do that, they have to limit access, both incoming and outgoing. Every packet that comes into the local network could potentially contain a virus, malware or serve as a vector for a denial of service attack. Every packet that goes out could potentially contain confidential company trade secrets or sensitive client or employee personnel information.
The difference is illustrated by the opposing views of the Bring Your Own Device (BYOD) trend that has made its way to so many businesses. Employees love BYOD because it gives them more freedom of choice and flexibility. Overall, most of them like being able to select the device type, brand and model they’ll use for work and they like the sense of ownership, even when that means they have to pay for it themselves.
Most IT pros, on the other hand, aren’t quite so enthusiastic about BYOD because it can present a security and administrative nightmare. Employee-owned devices are not only more difficult to keep track of and insure that all the latest security updates are installed, they’re also not under the ironclad control of the IT department.
Users see the devices as theirs, and expect to be able to install whatever apps they want, take them wherever they want, and use them however they want when they’re “off duty.” That means they connect them to networks that might not be secure and risk introducing malware to the rest of the corporate network.
Of course, upper management tends to view BYOD from yet another perspective, looking up at it from the bottom line. And the bean-counters generally love the idea of offloading the cost of hardware and maintenance onto the employees. Despite their security concerns, IT admins find themselves outnumbered, and BYOD flourishes.
But because of those security concerns, the IT department is constantly putting up obstacles in the paths of users, frustrating them and slowing down or completely blocking their ability to do what they want to do. No wonder the two are constantly at odds and view each other, if not exactly as enemies, at least as opponents in a never-ending game.
The good news is that it doesn’t have to be that way.
Turn security into a cooperative effort
To get end users on board with your security strategy, you first have to convince them that there’s something in it for them. Education, not intimidation, is the key. Ultimately, you have the technological means to grant or deny the access that users want. Unfortunately, too many IT admins wield that power in a punitive manner, and that just motivates users to find ways to get around your security measures.
Security awareness training – the right way
Security awareness training is a must for every organization, but there’s a right way and a wrong way to go about it. If it becomes just a long litany of things “thou shalt not” do, it won’t inspire users to comply (assuming they even stay awake for the presentation).
A good security awareness training program for end users is entertaining enough to capture their attention but serious enough to impress upon them the high stakes that are involved and the negative consequences for everyone when a security breach occurs. It fosters a “we’re all in this together” attitude and turns the competition into IT and users vs. the attackers instead of IT vs. users.
There is no “one size fits all” security training curriculum. Although there are some common topics that need to be covered and some common principles that need to be followed, a successful program will be custom tailored to the particular audience, and that varies even within the same company. Group the employees based on their job functions and make the training relevant to the tasks that they actually perform every day.
Remember that end users are not IT professionals. One of the quickest (and unfortunately most common) ways to lose the interest of those users is to talk way over their heads, using technical jargon that isn’t in their vocabularies and describing technical concepts that they don’t understand. Some groups of users are likely to be more tech savvy than others, so adjust the level of the content to fit each group.
The best training programs don’t treat the users as passive students sitting in a classroom. It gets them involved through interactive exercises, drills, games, role-playing and so forth.
Almost as important as the content of the training is who delivers it because that, in large part, will determine how it’s delivered. The person in the organization who has the most security expertise isn’t necessarily the best at engaging and motivating people. Of course the training should be conducted by someone who knows and understands what he/she is talking about and is capable of answering questions – not just someone who has read over the content and regurgitates the lesson plan without having actually worked in security.
It can be difficult to find someone who has that combination: in-depth security knowledge plus a talent for communications. Be cautious, however, about hiring outside experts to do your security awareness training. Some are excellent; others just deliver the same canned presentation over and over to every group in every organization. Look for a training company that customizes the training, and go with internal instructors when it’s possible because nobody else knows the unique challenges and personal dynamics of your organization like someone who is a part of the “family.”
Regardless of the quality, security awareness training is only a first step. Follow-up and continuing engagement are necessary in order for your end users to retain the knowledge, internalize it, and truly become a functional part of your security team. Awareness training is just that; it seeks to make people aware of what they were oblivious to before. How many users don’t even realize that they have responsibilities in regard to the security of the corporate network? It should be in their job descriptions, in the company policy, and instilled in the minds of IT personnel and users alike.
Summary
In Part 3 of this series on Security as a Shared Responsibility, we began the discussion of the role and responsibilities of end users as part of the security team. In Part 4, we will continue in that vein, discussing in more detail exactly what the user’s responsibilities are, and then we’ll move on to the responsibilities of software vendors.
If you would like to read the other parts in this article series please go to:
