[BreachExchange] Without Handcuffs: Creating A Culture of Compliance

[Audrey McNeil]

https://www.securityweek.com/without-handcuffs-creating-culture-compliance

Over the years, I have met with hundreds of security teams. One of the most
common complaints, that comes up in meetings with companies of all sizes
and across all industries, is that security teams feel helpless to enforce
the policies they put in place. Multiple security officers have described
it as feeling like “cops without handcuffs.” Upon flagging serious
incidents of rogue IT staff and acceptable use violations, I’ve been met
with shrugs instead of surprise.

Security policies exist for a reason, but unenforced they’re not valuable
to anyone – updating them takes time and resources away from already
strained teams and arbitrary rules don’t make employees happier or more
productive. Given the challenges to enforcement, what role do these
policies play in a security team’s toolkit? And what needs to change to
make security teams able and willing to enforce policies?

Why Bother?

Widely accepted as a best practice amongst cyber security professionals,
internal security policies are a critical element of a strategic and
proactive cyber security program. Employees not on the security or IT teams
possess limited knowledge of the cyber security challenges facing
corporations and the risks their actions may pose to the company. Educating
employees about these risks and challenges is a fairly easy way for an
organization to minimize its risk profile.

Policies don’t prevent mistakes. We can’t expect a document or quarterly
security training to change everyone’s bad habits or prevent employees from
ever falling for a phishing attack. However, by limiting what applications
employees can use, laying out protocols for connecting to non-corporate
Wi-Fi networks, and instructing employees on the potential risks of rogue
USB devices, companies can reduce the number of employees involved in these
behaviors, thereby reducing the risks created by these activities.

Complacency and Complexity

At this point, it seems many employees are complacent and don’t fear
breaking policies, specifically because they aren’t enforced. As
increasingly fewer people follow restrictions and regulations, it becomes
too complicated or costly to enforce them. On the flip side, it’s possible
that it could be security teams who are complacent when it comes to
enforcement. A set of policies might be put in place to appease executives
or board members, but an IT team not supportive of the initiative could
have no actual intention of implementing them.

Another possibility is that inconsistencies in enforcement create a
situation where no enforcement seems like a better decision. Imagine a
situation where one employee was written up for using a non-approved cloud
storage platform, but he/she knows that numerous other employees are also
using it and aren’t being punished. This would serve only to create
resentment towards the security team and would do little to dissuade the
employee from using non-approved software and services in the future.

Finally, it could be the complexity of modern networks posing a challenge.
Most employees have multiple corporate devices, Cloud and SaaS applications
create more areas of the network that need monitoring, and BYOD further
expands the attack surface. While not impossible, it may be too challenging
and complex for security teams to enforce these policies on top of their
other responsibilities and without affecting business productivity.

A Shared Responsibility Model

One of the greatest successes of effective policies and effective security
teams is that they make security a company-wide responsibility. Security
teams need the ability to enforce policies when necessary, but they also
can’t spend all their time chasing down employees breaking the rules.
That’s why it’s critical to do two things: ensure you have a way to easily
monitor employee activity, and shift responsibility for the company’s
security into the hands of every employee and team.

You can’t enforce what you’re not aware of, and while some might raise
concerns over privacy, there are sophisticated security tools that can
provide visibility into employee activity without raising privacy concerns.
Tools are able to identify suspicious activity without diving into the
contents of emails or documents, but instead by mapping out normal behavior
for every employee. Visibility can help ensure that policies are enforced
equally, would enable quick, autonomous action when policies are being
broken, and can ensure that senior staff, whose actions can have the
largest impacts, are also held accountable.

One CISO that I recently spoke with told me that the biggest benefit of
gaining visibility into his network was the open lines of communication it
had created between employees and his security team. He said now employees
know that someone on the security team is monitoring their network
behavior. Upon breaking policy, they’ll expect to get an email from his
team explaining the risks and asking for their support in the future. He
described it as helping him to create a “culture of compliance” within his
organization.

As a company begins to enforce security policies and hold employees
responsible, the policies that once may have seemed meaningless will start
to be valued and respected. Over time, holding people responsible will lead
individuals to see how their actions impact the security of the
organization and come to consider themselves responsible for the security
of the company. This is the larger success, leading to not just fewer
policy violations, but to an overall more secure organization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180925/c0e290c0/attachment.html>