No matter how much an organization spends on security solutions, it’s still important to understand and acknowledge the part the organization’s own workforce can play in helping to identify and avoid potential threats. The errant click on the malicious link or compromised password have almost become cliche in this day and age. Yet, cyber attackers still manage to find success with them. Attackers hope to get people to act before they think. Unfortunately, it can happen to any of us in a moment of weakness.
As your customers’ Trusted Advisor, it’s up to you to use your experience and expertise to help the entire organization protect itself from Security threats. Check out a closer look at the relationship between IT security and an organization’s workforce and the role you have in that relationship.
Educating Employees on IT Security
In addition to finding the right technology solutions for an organization, you’re also likely recommending additional actions they can take to enhance their IT security even further. Often, one of these actions is suggesting a company require their employees to attend IT Security-related educational programs. A number of companies already require such participation on an annual basis, frequently in the form of third party-designed webinars that focus on human behaviors such as identifying the characteristics of a likely phishing attack. The extent to which these initiatives are effective is debatable, but most experts agree that if they prevent at least one person from compromising the IT infrastructure, then at least some value has been delivered.
“User education is critical to preventing phishing attacks, but you have to assume that you’re not going to get 100 percent effectiveness across your entire user base,” said Lee Pallat, Vice President of Cloud Strategy and Sourcing at Stratacore. “The phishers are getting more and more sophisticated, so even a well-educated user can fall victim to a well-crafted spear phishing campaign. So, it’s just as important to put some additional email security in place to either sandbox URLs or provide that extra layer on top of what’s already available.”
While security technologies can go a long way towards protecting a company, a comprehensive education campaign for employees is almost always the necessary next step.
Bringing Operations into the Mix
There is one other important “people” aspect of IT security worthy of consideration. While security professionals play a crucial role in protecting the company and its data assets, colleagues sometimes view them in a less-than-favorable light. “There’s a battle between the Security and the Operations people because Security tends to make things more difficult, and Operations’ goal is to get things done,” said Ben Thornton, CTO of Opex Technologies, a Trusted Advisor that offers managed security and “SOC”-as-a-service. “The security guys are seen as the ‘no’ guys. So we try to find out what their concerns are, change that impression, and accomplish security goals in less obtrusive ways. This helps to build credibility and goodwill with other groups within the company. This way, when you do have to say no about something, they don’t just try to work around you. They need to see that you have solid reasons. Don’t be the ‘no’ person or the ‘yes’ person. Be the ‘solutions’ person.”
Both technically and sociologically, effective IT security requires a balance that provides solid defense while still allowing employees to do their jobs with minimal obstruction. The exact location of that balance point depends on a variety of factors, including the nature of the attack surface, the overall value of the assets the organization must protect, and the relative speed of business. As a Trusted Advisor, your role is to help determine how to keep your customer’s business safe while still enabling their workforce to focus on their responsibilities and the overall business outcomes of their company.