At what point will we admit that technology is not enough? When will we discover that our well-documented processes are insufficient? Who will acknowledge that their leadership when it comes to governance isn’t working? It takes a strong person to admit these flaws in organizational behavior and tackle the hardest problems head on.
People, process, technology and governance are the building blocks of a good security program. Most clients I work with struggle in several of these areas, and everyone struggles in at least one. The lowest level of maturity I see is in building risk and security awareness, and infusing secure practices into the organizational behavior.
A Vicious Cycle of Inefficiency
Security is often viewed as a technology problem. There are physical aspects of security, such as gaining access to a building, but those have been mostly addressed since the invention of the lock and key. Today, technology is the medium on which the most valued assets are exposed. As a result, technologists are most commonly responsible for security.
Technologists, as we know, view all problems through the lens of 0s and 1s, software and configurations. In the realm of logical systems, the diverse world of individual behavior is too complex — it’s not simple logic. I have yet to meet a chief security officer (CSO) with a college degree in organizational behavior. It’s easy to buy packaged security software and implement it for the highest risk assets. If you can do that, you can show measurable progress toward security and move on to the next fire.
Technologists know that training, communications and user behavior analysis take as long as the product implementation and may cost more than the product itself. To make matters worse, how many of us are evaluated on the success of end-user adoption of security tools or processes? Very few, because it is hard to quantify.
If the approach to security excludes training, communication and user behavior changes, users find workarounds. Security must then block those workarounds. This cycle repeats until there is exactly one way to do something, and that way is rarely the most efficient or user-friendly. Let’s look at an example:
- Users are sending some sensitive financial information over public email via spreadsheets. A policy is published stating that spreadsheets with sensitive financial information cannot be sent via email. Users do it anyway, sometimes unknowingly.
- An email data loss prevention (DLP) solution is deployed to scan spreadsheets for the financial information and block those emails. As a result, users embed them in other document types or use USB drives.
- Next, the security organization locks down the DLP solution to all documents and email content, and deploys a tightly restrictive local device policy to disable USB drives.
- At this point users have lost a very useful and valid productivity tool because they cannot transfer anything via USB.
In this scenario, security becomes an obstacle. It is perceived as a purposeful restriction to kill productivity. Users, up to and including the C-suite, start to groan any time there is a new security project or request for funding.
Improving Organizational Behavior
In my experience, and in the experience of my colleagues, there are five behavioral characteristics that need to be addressed:
- Awareness of the common risks and vulnerabilities: Each organization has different threat vectors. Each user community may even be unique within the organization. These threats need to be communicated and understood by all users so they can identify and avoid them.
- Awareness of organizational policies and practices: Policies and processes need to exist not just on paper, but in the minds of users. They need to be simple, available and actionable.
- Awareness of responsibilities: Users, managers and leaders need to understand the personal and organizational implications of security. They need incentives to act in a secure manner, and consequences for neglecting, bypassing or obstructing security. That may be part of an annual evaluation, or it may be a pizza party if a security metric is achieved.
- Denial of risks: It’s one thing to understand security risks, but it’s another thing to believe them. Hiding security events exacerbates the problem because users often think, “It can’t happen here.”
- Practice being more secure in daily behaviors: Skills are perishable; they require practice. Psychological research shows that habits form after about 30 days of repetition. In the dynamic world of security, it’s best to practice, refresh and test periodically so security practices become and remain permanent.
Let’s look at that example from the previous section again and try an alternate solution based on the steps listed above:
- Users are sending some sensitive financial information over public email via spreadsheets, so a policy is published that prohibits employees from sending spreadsheets with this data via email. A communication plan is created and executed, including emails for awareness, a one-hour training for selected users and a two-hour training for managers whose users have access to this information. User continue to send this information, but the incidents are reduced by 75 percent.
- An email DLP solution is deployed to scan spreadsheets for the financial information and block the offending emails. This solution also notifies users when the content is found, with instructions about how to remedy the situation. As a result, the number of users sharing this information is reduced to fewer than five instances per month. These users choose alternate methods, such as USB drives.
- Next, the security organization extends the DLP solution to monitor and identify — but not block — information exported to USB drives. Managers approach the offending users directly to understand the situation, reinforce policies and, if necessary, find secure ways to share this information.
This approach allows users to use their USB drives, has a reduced technology footprint and is less restrictive overall. Security is no longer an obstacle.
Now, I recognize that this scenario neglects to consider regulatory concerns or the actions of rogue users. Regulations in and of themselves don’t measurably increase security nearly as much as an educated and informed user population.
User Education and Change Management
Now that we have seen what needs to change and how change can achieve our goals of a more secure organization, let’s look at some practical ways to implement organization behaviors for security.
Education, whether in-person or online, enables users to understand and begin using more secure practices. Since there are many levels of education, multiple mechanisms and iterations are often required. Further, the message and channel need to be tailored to the audience.
It should follow these four steps, for example:
- Send an email with a call to action and links to quick reference cards.
- Host a mandatory web-based training.
- Give a 15-minute presentation in an upcoming meeting for that business unit.
- Gauge effectiveness, solicit feedback and improve the next iteration.
Incentive- and consequence-driven change management is a complex art form, the scope of which is beyond this article. But it cannot be neglected as part of a holistic approach to change an organization’s security behaviors. Users need a reason to do, or not to do, something. We can’t expect everyone’s core belief set to include security, but we can help them feel more personally motivated to do what’s right for security. There is no set formula, but it often involves directed communications, stories about success and failure, praise for security diligence, individual performance evaluation criteria, business unit performance evaluation criteria and rewards for some measured achievement.
While consequences are not usually the best motivator, they are necessary. These may include poor performance evaluations, executive intervention and even legal consequences. Also, don’t forget the power of peer-level social interactions. If you can get people speaking positively about security, it can have a major impact on their peers in both positive and negative ways.
Aligning Organizational Behavior With Business Goals
Lastly, security behaviors need to be aligned with people’s day-to-day jobs. IBM Design Thinking is a powerful way to understand user communities, tailor solutions to their needs to enable success and design organizational behavior changes to increase adoption. Through these workshops, it’s possible to create systems, processes, policies and communications, and tailor them to your most relevant users. It’s a powerful tool that can be used to reduce the perception that security is an obstruction to productivity.
The concepts of organizational behavior, communication, training and other soft factors may not be the first thing that comes to our minds as technologists. For many organizations, however, they represent the next big opportunity for increased security.
Principal Security Architect for Delta Air Lines
Brett Valentine is a Principal Security Architect for Delta Air Lines. He was previously an Associate Partner with IBM Security, and worked for other large ...