There is a lot of conversation among IT security leaders about engaging the workforce in order to mitigate threats. But how do security professionals actually win people over to their side? Many employees are willing to comply but what can be done to really get through to those that are resistant? Johanna Baum, the CEO and Founder of S3 (Strategic Security Solutions), contends that to enact change, leaders must involve those that are most reluctant to go along with security protocols — especially the person still keeping their login password on a post-it note on their computer. In order to change the security culture of a company, Johanna suggests seeking out the person at a company who is least likely to comply.
Main Takeaways
- It Comes Down to the People: There’s always going to be a security tech stack. A security platform and relevant apps will help reduce threats. But, fundamentally, people are still required to act with any given platform or system as part of the security solution. Furthermore, employees also need to engage in secure behaviors that reduce the overall risk to the company.
- Involve the Malcontents: Cultural change concerning security is only as strong as the weakest link. Leaders must seek out the malcontents in order to engage them in the process. Leaders must put employees who are reluctant to accept security protocols in situations where they can test out measures and be part of the solution.
- Keep Security Simple: Because there are so many security threats, there can be a tendency to assume risk mitigation must be very complicated and beyond human capacity. Although artificial intelligence and automation can certainly be helpful to thwart so many threats, there are also really simple things people can do on their own to embolden security. For instance, this can be as basic as ensuring people log out or use effective passwords. On a company-wide level, it can be as elemental as making sure there is an up to date list of all the users at the organization.
For a more in-depth look at this episode, check out the article below.
Article:
There is a lot of conversation among IT security leaders about engaging the workforce in order to mitigate threats. But how do security professionals actually win people over to their side? Many employees are willing to comply but what can be done to really get through to those that are resistant? Johanna Baum, the CEO and Founder of S3 (Strategic Security Solutions), contends that to enact change, leaders must involve those that are most reluctant to go along with security protocols — especially the person still keeping their login password on a post-it note on their computer. In order to change the security culture of a company, Johanna suggested seeking out the person at a company who is least likely to comply.
“Who’s your most difficult employee?” Baum asked. “Who’s the guy who’s going to look at this and then throw it in the circular bin? ‘Like, yeah, I’m going to file that over here in my trash. I don’t want to look at it. I don’t want to deal with it. I got my post-it note. I’m solid.’ That’s the guy I want to talk to…because that’s going to be where my biggest vulnerability is. So we talk to him. We let him test. We make sure him or her — that they are part of the process. Even though they sometimes don’t want to be, they end up kind of getting a kick out of it. Because it’s something that in the long run, [if] I can keep them there and complying, it definitely reduces risk for the company.”
IT security threats seemingly are everywhere and it certainly can be overwhelming for organizations trying to respond to them. Companies must respond to outside threats and, unfortunately, even some internal ones too. Gaps in the credentialing process and the rise of remote work and hybrid work are only increasing security risks. Furthermore, it can be very challenging to get employees to get in line and follow security directives.
On a recent episode of IT Visionaries, Baum broke it down in simple terms. There has to be buy in from all employees, and it’s incumbent on leadership to track down and engage the recalcitrant crowd. Also, there are basic things that can be done to promote security — like individuals securing passwords or entire companies maintaining an accurate list of their users. She also shared her career journey from accounting to IT Security and founding her own company.
At a basic level, Baum maintained that, despite so much new technology, security ultimately comes down to human behavior.
“If you go to the RSA conference, now it’s spilled over into every part of San Fran,” Baum said. “There’s so much technology. Every second, there’s like 50 new companies that are coming up or how to protect, but it still comes back to the people behind it. It’s still back to the people that are working in that technology every day. And the guy that doesn’t care about the policy, the guy that has the post-it note on the top of this computer, the guy that doesn’t go through the certification process because he’s like, ‘Yeah, rubber stamp that, I got other stuff to do,’ that’s the guy I’m looking for. I have to protect the company from that guy.”
Baum clearly believes that it’s incumbent on leadership to find those who are creating vulnerabilities and then win them over by engaging them in the process. She also pointed out there are basic things that employees can do that really help strengthen security.
“You should not be indefinitely logged in with no verification or reconfirmation,” Baum said. “People still are wowed by tha… And I know passwords are everyone’s annoyance. ‘Why do I have to log in at all? Why do I have to validate? Why do I have to check my phone?’ ‘Okay, I hear you. I would love for this to not have to challenge you, but I still have to validate. At some level, we need a minimum level of assurance that you are who you say you are’…Logout times [or] two-factor: some are using none of that. They’re not validating the person. They’ve got one single password for everything and that one password is very well known. There’s no exception tables to stop them from using their name or the word password as their password.”
Furthermore, Baum explained that companies can also do their part by maintaining accurate records
“Do you know where all your users are?” Baum asked. “Do you have a central repository to store at least who those people are? We definitely recommend that. You gotta have that. We have to know who is where so we can make sure we know what they have access to, and how do I get them out when I need to?”
Baum’s background is unique as her career first began in accounting. She moved from tax, to auditing, to consulting, and ultimately made her way into IT security.
“I really was not a great auditor because I asked too many questions,” Baum said. “I mean, and not audit questions. I was like, ‘why do you do that?’ In accounting, that’s just [not typically done]: ‘Look, we follow. It’s very easy [because] it’s compliance. We got a yes or no. We can live in a little bit of gray, but this is financial accounting. We don’t really have much latitude.’ I really wanted to break things and then put them back together. I wanted to change a business and figure out how they could evolve. And that is definitely not the accounting mantra.”
But all her previous business experiences in accounting were building blocks for her work in IT security.
“I think it’s a great foundation for somebody in IT because you do know how the business works,” Baum said. “I know where the dollars are flowing. I know what executives care about from a street standpoint [and] from a financial standpoint [and] what they’re reporting [and] what their stakeholders are looking for, [and] what they’re held accountable for inside the organization. I also know from an IT standpoint [that] I can’t do that. I can’t automate that. Oh, wait, maybe I can. So it really gives you that intersection between how the business works and how I can enable it with technology that most people, I think, don’t have these days.”
For Baum, understanding how every individual in a business thinks is what allows her to determine how to engage everyone at a company to participate in good security practices.
To hear more about how S3 engages all employees to be an integral part of the security solution, check out the full episode of IT Visionaries!
IT Visionaries is brought to you by the Salesforce Platform – the #1 cloud platform for digital transformation of every experience. Build connected experiences, empower every employee, and deliver continuous innovation – with the customer at the center of everything you do. Learn more at salesforce.com/platform