Organisations working to implement new security policies should focus less on being blindly prescriptive and more on working with employees to build a policy they will want to be part of, the head of IT security at software tools developer Atlassian has advised.
Speaking to the CSO Perspectives Roadshow in Sydney, Craig Davies – who joined Atlassian as director of security in September after a stint at medical-products company Cochlear – said one of the biggest mistakes many CSOs make is by approaching security policy as something by which to bludgeon employees into following overly-difficult policies around regular changes of passwords.
“I’ve found that a number of acceptable-use programs get written along the lines of ‘don’t do this’,” Davies said. “You go to the trouble of hiring professional people, encourage them, and then say ‘we trust you so much that we don’t want you to do any of these things’ – and you end up with an environment where people are either frustrated or go around [the policies]."
In evaluating the best way to bolster Atlassian’s security culture – a 400-employee “software development house where we treat privacy very seriously” – Davies said his first strategy was to build a ‘user pathway’ to raise employees’ overall awareness of the risks of issues such as phishing, password security, USB drive safety, and the like.
A series of training modules had been developed to educate employees on such issues, with different modules targeted at different types of employees. For example, engineers might be targeted with training about the importance of intellectual property protection, while salespeople might be more concerned about the risks around mobile devices.
“Salespeople can be your greatest allies,” Davies said. “I’ve previously had the experience where a salesperson identified a very critical risk that was about to occur when we were the subject of a targeted phishing attack. It was very well crafted, and we picked it up within an hour of it commencing – but it was originally picked up by a sales guy who got an email and said ‘that just doesn’t look right’.”
Promoting that level of employee buy-in goes much further in meeting security objectives than simply setting didactic policies and building a culture of fear around the implications if they are not followed, he said – although some organisations stacked the decks by requiring employees to manage up to 20 or more different username and password combinations to access various systems.
The CSO’s burden
Although IT managers often blame users for security compromises, Davies pointed out that the onus is on the IT organisation to avoid escalating security policy to unreasonable levels. CSOs should also be looking to equip employees with tools such as password managers, which can both simplify their access to systems and boost overall security by enabling the use of complex passwords.
The real test of a policy is for the CSO to follow it themselves, to the letter, for 30 days – and to look for ways to improve it if it’s too burdensome. “Live it,” he said, “and if your password policy is crap, fix it. Put yourself through the pain a user has to go through, then feed that back into your program.”
In the long term, Davies said, any security policy has to be couched in ways that make sense to employees, so they will be willing participants.
“When running a security program it’s very important that your first answer to everything is ‘yes, tell me about the problem you’re trying to solve’ rather than ‘yes, this is the situation you want to use’,” he explained.
“When you’re asking people to be involved, you need to find that special connection in your enterprise that allows them to understand where they fit into the program. This stuff is real, and the point is to make sure your people understand what they’re getting into. The ultimate thing you want is ownership.”
Even bribery can have its benefits, Davies joked, noting that Atlassian is sometimes referred to as ‘a T-shirt company with a software problem’ and that a run of security-specific T-shirts was currently in production.
“We’re not sure if we’re going to make them prizes for something bad, or something good,” he laughed. “We’re still figuring out what the audience will be. The key is to do whatever it takes to change behaviour. Find something in your company culture that is perhaps different, and do something with it that actually means something to people.”