In a world with siloed IT, developments, and business teams, many organizations struggle to ensure appropriate communications across all users. However, mid-sized enterprises (MSEs) face a unique challenge as their IT and security team often wear multiple hats while also managing a mass of on-premises and remote-user devices.
Digital transformation changes how organizations approach security. As internally developed applications and integrations increase cybersecurity risk, devops teams need to partner with IT teams. While IT teams push out the software and operating system updates, devops teams need to monitor for misconfigurations that could undermine these security activities. Meanwhile, end-users need to recognize their role in mitigating data breach risks.
With effective communication at all levels, MSEs can create cohesive, streamlined cybersecurity programs that mitigate risk.
Cybersecurity is a “shared responsibility”
Information security teams are given seemingly contradictory tasks, mandated to secure and protect the organization while being constantly reminded to ensure business productivity. Further, end-users often assume they have no responsibility in maintaining that security posture, viewing IT and security teams as the ones responsible for implementing the necessary technical controls.
Keeping devices, applications, development, and production infrastructure secured is a never-ending battle. From the purely technology-focused side, IT and security teams juggle complex responsibilities that include:
hardware and software inventory management
authentication and authorization management
From the end-user point of view, these activities act as roadblocks, meaning that they feel justified in bypassing security controls that get in their way and put the organization at even greater risk.
IT and security teams can build a better relationship with end-users by adopting a “shared responsibility” approach. Just as cloud services providers define how they and their customers share security responsibilities, IT and security teams who view their end-users as customers can define better cyber hygiene roles across the organization. By viewing end-users as “customers,” technology teams can develop understanding and obtain buy-in from the employees they serve. They need to enable their “customers” to understand their individual roles in maintaining the company’s security posture and know how to maintain their devices’ cyber hygiene.
Clearly communicate the responsibilities and benefits
For IT and security teams, the first step should be to meet with stakeholders across the company, starting with executives and senior leadership and working down through members of teams. During these meetings, the technology teams should:
Learning stakeholders’ goals
Understand how those goals relate to the company’s goals Uncover any roadblocks teams were facing
Ask for input about how to help them accomplish their goals
These meetings enable the technology experts to define and report on how they plan to focus their teams’ responsibilities from both the IT and security perspective, including:
How they help each employee and business team accomplish their goals
What tools they plan to provide them so they can work effectively
Why implementing the controls is necessary to protect corporate data, employee data and customer data
By doing this, the IT and security teams build end-user trust and foster internal relationships that enable them to gain the needed cooperation. For example, in an increasingly SaaS-driven business world, IT and security teams that roll-out SSO to their end-user customers can streamline both security and productivity, ensuring a better relationship while upleveling data protection.
To maintain these relationships, the technology teams should set up short recurring monthly meetings with all executives, directors, and managers that include:
An overview of the past month’s accomplishments
Any issues that arose during that time
Steps taken to mitigate the issues
Planned projects for the upcoming month
Request for feedback, including concerns, potential impacts, and suggestions for improvements
Through these conversations, the organization encourages workforce member independent and proactive issue resolution, helping people realize that taking personal responsibility has positive outcomes.
Regularly communicate to build better habits
When delivered regularly, security awareness training can be an opportunity for keeping employees informed about security best practices, instilling in them the idea that they have an obligation to be informed and aware of the risks that come with their role.
However, the IT and security teams can support these educational initiatives by:
Standardizing device purchasing processes
Automating onboard processes
Automating software distribution
Normalizing security configurations
Automating device patching and update processes
Even when projects have an adverse impact on end users, the ongoing communication and relationship built with “customers” makes it easier to smooth out the bumps and move the company forward.
Even with automation handling routine maintenance tasks, many SME IT and security teams still struggle when they work to minimize technical debt. For example, these teams may not be able to keep every device fully patched or the software on those devices fully updated without the help of the devices’ users. By regularly communicating the security “why” behind these preemptive device security steps, employees are more likely to build better habits.
When technology teams explain in terms that their customers understand, people will connect to the message better and take proactive steps. For example, a message might focus on routinely rebooting devices that makes an analogy to regularly check a car’s air pressure. The car performs better and more safely when people engage in this preventative maintenance, just like a device performs better and more securely when people reboot it regularly.
The more IT and security teams can relate cybersecurity to their users’ real-world experiences, the more likely they will be to take preventative measures with their corporate devices, ultimately taking their cyber hygiene to the next level.
When technology teams regularly communicate with their end-users, treating them like customers and partners, they build a proactive mindset over time that bleeds into the user’s security mindset. Studies show that it takes between 7 to 10 exposures to a concept before a person can assimilate that concept and incorporate that concept into their thought patterns, and developing a habit takes even longer. Annual security awareness training programs only serve to introduce concepts. For people to build good cyber hygiene habits, they need ongoing reinforcement that keeps these activities top of mind.