Security awareness programs must involve, not bludgeon, employees: Atlassian CSO

Organisations working to implement new security policies should focus less on being blindly prescriptive and more on working with employees to build a policy they will want to be part of, the head of IT security at software tools developer Atlassian has advised.

Speaking to the CSO Perspectives Roadshow in Sydney, Craig Davies – who joined Atlassian as director of security in September after a stint at medical-products company Cochlear – said one of the biggest mistakes many CSOs make is by approaching security policy as something by which to bludgeon employees into following overly-difficult policies around regular changes of passwords.

“I’ve found that a number of acceptable-use programs get written along the lines of ‘don’t do this’,” Davies said. “You go to the trouble of hiring professional people, encourage them, and then say ‘we trust you so much that we don’t want you to do any of these things’ – and you end up with an environment where people are either frustrated or go around [the policies]."

In evaluating the best way to bolster Atlassian’s security culture – a 400-employee “software development house where we treat privacy very seriously” – Davies said his first strategy was to build a ‘user pathway’ to raise employees’ overall awareness of the risks of issues such as phishing, password security, USB drive safety, and the like.

A series of training modules had been developed to educate employees on such issues, with different modules targeted at different types of employees. For example, engineers might be targeted with training about the importance of intellectual property protection, while salespeople might be more concerned about the risks around mobile devices.

“Salespeople can be your greatest allies,” Davies said. “I’ve previously had the experience where a salesperson identified a very critical risk that was about to occur when we were the subject of a targeted phishing attack. It was very well crafted, and we picked it up within an hour of it commencing – but it was originally picked up by a sales guy who got an email and said ‘that just doesn’t look right’.”

Promoting that level of employee buy-in goes much further in meeting security objectives than simply setting didactic policies and building a culture of fear around the implications if they are not followed, he said – although some organisations stacked the decks by requiring employees to manage up to 20 or more different username and password combinations to access various systems.

The CSO’s burden

Although IT managers often blame users for security compromises, Davies pointed out that the onus is on the IT organisation to avoid escalating security policy to unreasonable levels. CSOs should also be looking to equip employees with tools such as password managers, which can both simplify their access to systems and boost overall security by enabling the use of complex passwords.

The real test of a policy is for the CSO to follow it themselves, to the letter, for 30 days – and to look for ways to improve it if it’s too burdensome. “Live it,” he said, “and if your password policy is crap, fix it. Put yourself through the pain a user has to go through, then feed that back into your program.”

In the long term, Davies said, any security policy has to be couched in ways that make sense to employees, so they will be willing participants.

“When running a security program it’s very important that your first answer to everything is ‘yes, tell me about the problem you’re trying to solve’ rather than ‘yes, this is the situation you want to use’,” he explained.

“When you’re asking people to be involved, you need to find that special connection in your enterprise that allows them to understand where they fit into the program. This stuff is real, and the point is to make sure your people understand what they’re getting into. The ultimate thing you want is ownership.”

Even bribery can have its benefits, Davies joked, noting that Atlassian is sometimes referred to as ‘a T-shirt company with a software problem’ and that a run of security-specific T-shirts was currently in production.

“We’re not sure if we’re going to make them prizes for something bad, or something good,” he laughed. “We’re still figuring out what the audience will be. The key is to do whatever it takes to change behaviour. Find something in your company culture that is perhaps different, and do something with it that actually means something to people.”

Join the CSO newsletter!

Error: Please check your email address.

Tags CSO Perspectives Roadshow

More about AtlassianCochlearCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts