The technological landscape has changed drastically since the turn of the century. With thought leaders in Silicon Valley and young entrepreneurs looking to disrupt the technology marketplace through continual development, it seems like there is no end in sight to these changes. One outcome of this ceaseless development is that C-suite security and information executives are forced to do an increasing amount of research when looking to update or implement new technological solutions to meet business needs.
Too often these new implementations result in some extended growing pains and difficult adjustment periods for all involved, from IT and operational security management all the way down to entry-level employees. In a worst-case scenario, a bad rollout of new technology can end in outright failure.
There are many reasons new security software or technology implementations can fail, but these are three big mistakes to watch out for … along with strategies for avoiding them.
Mistake #1: Thinking of Security as an IT Problem
More and more security solutions request or require network access to function properly. Technology like cloud-connected security cameras and the use of biometric or mobile credentials at access control points leans heavily on an organization’s IT infrastructure. Considering this, it’s becoming easier than ever for decision-makers to simply rely on IT to take control of an increasing proportion of a company’s security footprint. But while it may be efficient to silo security in IT, is it really an effective option?
While IT is certainly well-positioned to address many kinds of threats (a point we’ll return to in a moment), it is not situated to do so alone. They must be joined by security professionals and executive leadership in order to be successful. But how?
More than anything, effective security implementation relies on open, honest communication. This tends to run counter to the more traditional top-down hierarchies that many businesses are built on. These kinds of barriers to effective communication can be difficult to work around—but there’s always a solution.
According to Tracy Reinhold, the Chief Security Officer (CSO) at Everbridge, formerly the CSO at Fannie Mae, being proactive is the easiest way to open lines of communication. It’s only recently that larger organizations have created a seat at the executive table for security officers. For small- to medium-sized organizations, such access to the C-suite or boardroom for security leaders might not even exist. In either case, it stands to reason that there is an education gap between security professionals and those with control of the decisions … and the budget.
Here’s where Reinhold’s proactive approach is instructive. The conversation regarding a new implementation needs to start before the need for a new solution arises. He recommends building relationships with executives and/or board members who are sympathetic to changing security needs ahead of time. Avoid asking for favors or how they can help you, instead asking about their role in the organization and what they see as pressing security concerns.
Nurturing this kind of relationship over time will not only get your security concerns in front of decision-makers but will also give you a better idea of how the executives or board members envision future security needs.
Mistake #2: A Lack of Understanding of the Threat Landscape
Implementing new security technology requires more than simply replacing an old surveillance system, implementing blockchain, or adding biometric access controls. While a new device or software may address one set of existing issues, there is a high probability that it will create new, additional security concerns. The path to improving security technology over the past decade has been one of increased connectedness, putting more devices on a network together, thereby expanding the attack surface a malicious actor can exploit.
The problems stemming from an expanded attack surface are compounded by a long-term, ongoing shortage of qualified cybersecurity experts. Over the past couple of years there have been numerous reports highlighting the growing gap between the business need for qualified security personnel and their actual availability on the job market. This means that in most organizations, there isn’t enough professional knowledge that really understands the current threat landscape.
In the short term, the lack of cybersecurity personnel can partially be overcome through tapping internal talent and ongoing training. However, that won’t address the proximal cause of the increased exposure: an overall lack of integrated risk assessment.
According to Terry Gold of D6 Research, the inability of an organization to properly address its total security stems from the simultaneous operation of multiple security models. The operational security team handles any facilities, grounds, or other physical security needs, and IT handles the network and end point security. As previously noted, separating security tasks results in gaps in communication and understanding about the real threats posed to the organization.
The desire to solve the skills and communication gaps by deploying updated tech or software solutions is appealing. Though it may make your vendors happy, trying to address security issues by deploying new technology is putting the cart before the horse, as it doesn’t account for the actual security risks your company is facing.
Rather than focusing on a particular product, have operational and IT security sit down together to hash out where they see existing vulnerabilities. It will provide a much better understanding of your company’s overall risk exposure.
If you run a small- or medium-sized business, you may not have dedicated security staff. While you may need to spend a little extra, hiring an outside security consultant (preferably someone who is “vendor neutral”) could help you develop a deeper understanding of your risk profile.
Then, once the threat landscape is outlined and understood, work with vendors to acquire the solutions that best meet your organization’s needs.
Mistake #3: A Lack of Employee Training on Security Measures
At the end of the day, the biggest risk your organization must contend with has already broken through any security measures you may have in place: your employees.
Humans are fallible, and the demands of a modern work life built on multitasking and working across devices increase the chance of making mistakes. Each year, research continues to show that regardless of how much money you spent on your cybersecurity platform, a lack of employee training and awareness on proper security protocols leads to increased risk and a larger attack surface.
While spending money on fancy intrusion detection software, antimalware platforms, firewalls, and other security measures will certainly help, it won’t help much if someone from marketing clicks on a malicious link in a phishing e-mail.
It is important to have a clear security policy in place and to thoroughly review it with new hires (in every department) during onboarding. But, according to most experts, security training can’t be conducted once and never touched on again. It needs to be built into a broader security culture within the organization that is continually fostered through active communication with employees at all levels.
Developing a positive security culture can help overcome resistance employees may have to implementing policy. One way to do this is to set up a reward program that reinforces security vigilance. This vigilance can be in finding, reporting, and properly handling malicious e-mails; or for notifying the security team about an object that’s out of place in a sensitive area of the facility; or any number of behaviors that are desirable for maintaining your organization’s total security.
As a security leader, recognize that even with ongoing security training, some threats will still get through. Extend empathy to those employees who make mistakes, and turn the event into a teachable moment.