For many years security teams have been working on shedding the stigma of being “the department of ‘no.’” Today’s successful security professional understands that affecting long-lasting change requires a combination of collaboration, education, and negotiation. Though there might be some “right” and “wrong” ways to practice security (e.g., patching at convenience vs. maintaining a rigorous patching program), security professionals are realizing that insisting on adherence to their demands does not achieve the intended effect. Rather, security (like other business departments) must deal in shades of grey. In other words: risk. In this transformation to a risk-centric world, it is incumbent upon the security team to educate business leaders about system vulnerabilities, weaknesses in processes and procedures, non-compliance with industry standards, and what—optimally—should or could be done to eliminate as many risks as possible. To be able to accurately convey this information, security teams must first identify vulnerabilities and potential issues. Enter: testing.
Security testing exists in many forms: penetration testing, vulnerability scans, and security awareness programs, to name a few. A comprehensive security program includes various forms of testing, conducted regularly, followed by remediation, review, and re-testing. In a perfect world, security would find all the vulnerabilities then patch or get responsible teams to patch. In reality, when conducting an assessment, security may be evaluating systems or processes that aren’t owned or managed by the security team, therefore, the decision to fix/change/repair isn’t the domain of the security team. In some cases, even if the process or technology is owned and managed by the security team, outside approval is still necessary (for instance, if the fix requires extra budget or may disrupt system availability). This entire scenario creates tension between security and the business. There is no way around it. Security’s job is frequently to point out inadequacies and educate the business on why failure/hesitance/reluctance/refusal to do the “right” thing puts the organization at risk.
To build trusted relationships and inform risk decisions, the security team can remove some contentiousness from the conversation by framing issues differently and by participating more closely with business leaders. The goal isn’t to assess, point fingers, then walk away; it’s to educate through a collaborative process so that colleagues can understand the benefits of changing how things are done or by fixing a vulnerability. Change is hard and business colleagues are busy, so telling them they must do X, Y, or Z and spend money (that they may or may not have) is bound to introduce friction.
Building a bridge
Instead of playing the villain, security teams should take a more collaborative approach to assessments, says Jaret Preston, Information Security Officer at Caterpillar Inc. “The key to removing tension,” he says, “is to be a full participant in the process yourself. Be aware that the ultimate goal is to expose and control risk to your organization over the long term. “
The first thing Preston recommends is to get to a place where you can empathize with colleagues’ work efforts. Many in the security community know a thing or two about being over worked and underappreciated, yet security often fails to recognize that burden in others. Business colleagues are not intentionally hampering security’s efforts, but realize that they are tasked with responsibilities, have tight deadlines, and may be conditioned to do things in a way that may be contrary to security best practices. Showing empathy will go a long way in building partnerships, says Preston. A sense of partnership is especially important when the security team is presenting colleagues with extra work and effort—i.e., when a pen test or vulnerability assessment has identified a problem that needs to be fixed ASAP. Preston proposes a 4-step method for reassuring colleagues that they’re not on their own to remediate a problem or that security isn’t going to swoop in and take over, thus completely upending their work.
The key to a good partnership is communication. Even when a critical security flaw is identified through testing, remediation will impact others. Thus it is the responsibility of the security team to have a two-way conversation before jumping into or assigning a project. Any time a change is about to occur, security must clearly explain the problem, using language the business can understand, then listen to concerns. Ask questions and learn the core of others’ worries—are they afraid of missing deadlines? Will your implementation/change break or disrupt a tool to which they need access? Once you truly understand concerns, it may be necessary to negotiate a solution that reduces risk without completely ignoring the needs of one party.
Oftentimes people are averse to change because they don’t fully understand the implications or overinflate the outcome. If a security assessment highlights a problem that requires an alteration or disruption to people’s workdays, it can be valuable to physically show business colleagues the problems you’ve found. For instance, says Preston, if appropriate and possible, “point to things, touch computers, utilize resources to give colleagues a visual understanding.” Two-factor authentication is a good example. Rather than telling people they will need to complete an extra step before logging into resources (which sounds like a drag), show how easy it is to receive an email or text with a one-time passcode, or to use a Yubikey, then explain how using 2FA keeps everyone’s data more secure. Much of the time, when someone sees for themselves how easy a new process is, it’s a lot simpler to convince them to make the change.
As with the “show” step, above, offering doable solutions to problems is a must, says Preston. It’s one thing to convince people to use 2FA, but an entirely different situation when testing has uncovered a system-wide issue and applications will become unavailable or thousands of dollars will be spent. This is where security teams must do their best to educate and negotiate to achieve an optimal risk outcome. In some instances the business might choose to accept the risk instead of accepting security’s solution. In those cases, the security team must work diligently to explain probable impacts without resorting to fear tactics.
To truly understand how and why security is viewed negatively, walk a mile in someone else’s shoes. Security practitioners know their intents aren’t to make others’ lives more difficult, but from a non-security perspective, adding complexity and removing availability (even for a short period) are burdensome. Many decisions in a business environment are not black and white, therefore when the security team enters the picture and declares that the business “must” do X to be secure, tensions are created. Remember that security is a supporting player in the business ecosystem. The goal, therefore, should be to provide the most accurate risk assessment to the business so that decisions can be made. When the scales are not turned in favor of security’s recommendations, it’s easy to feel like the business doesn’t care about security. After all, testing is a routine and necessary element of a comprehensive security program. If the business is going to discard information about how to fix vulnerabilities, why bother?
It’s never easy to hear rejection, but the truth is, business, itself, is complex and many factors contribute to decisions. The best thing security practitioners can do—for sanity’s sake and to be better business partners—is listen to and learn from non-security colleagues. With empathy about others’ workflows, habits, needs, etc., it’s easier to see how security can support efforts without completely smashing them to pieces.
Learn more about aligning security responsibilities with business priorities at InfoSec World 2018 in Orlando, Florida, March 19-21, 2018.