Every Employee is a Security Partner

Wednesday, May 18, 2011

Robb Reck


The information security department is responsible for writing policies, creating awareness training, tracking compliance, and generally leading the data security program at an organization.

But when it comes down to it, we are not the ones who do most of the practicing. The ground-level implementation of security in the organization simply cannot be the work of a few information security employees; it needs to be performed by every employee in their day to day tasks.

The information security team is responsible for the creation of the policies and standards. This is the framework that a security program is built on. By using a well-tested framework we can ensure that our organization’s security needs are adequately documented. The policies are critical, but they are only the framework. To flesh out the program we need the actual implementation, and that’s where the rest of the staff comes in.

Another essential role of information security is in properly distributing the policies. Having a perfect set of policies and standards is one thing, but if it’s never put into the hands of those who do the work, it is of very limited value. Security awareness training must be more than just a checkbox we check to get through an audit. Awareness of corporate policies and standards should be provided through formal training, but also gorilla marketing, regular staff meetings, reminder emails, and performance reviews.

Once the policies are in the hands of our entire staff, it is up to them to successfully implement data security. Whether the policy is password complexity rules, sensitive data handling, or secure coding standards, we depend completely on our employees to implement it. We cannot overlook any employee group; even the least likely-seeming employee will have access to our organization, and could be used as a jumping off point for an attack. A thorough and consistent security message, delivered to every area of the organization, is required.

In order to ensure that each employee hears the appropriate message, we need to customize their training to their daily experiences. There are some areas that every employee should be taught (secure password rules, avoiding tailgaters, how to spot an intruder), there are many others that are essential in departments, but unnecessary for others (secure coding standards, firewall configuration rules). By tailoring the training to the intended recipients we successfully reduce the amount they need to be taught, while make the training both more interesting and more effective.

Employees partnering in security can give us granular security knowledge that InfoSec cannot otherwise have.

Once we get our employees to view themselves as our partners in security, they will start to point out areas we missed. This provides us significantly improved insight to the organization as a whole. When we have the accounting team providing suggestions on how to improve accounting security, the DBAs helping with database security, and the call-center reps with our customer service process, we get the kind of granular level insight that one central InfoSec team could never have.

Another benefit that this kind of enterprise-wide security implementers is that our employees can work as a human intrusion detection system (IDS). As an example, last year when the “Here You Have” worm hit the internet, the employees at Intel immediately recognized this as malicious and provided the central IT/InfoSec departments a heads-up so they could take immediate actions to prevent exploitation in their organization. The same thing can be said for any type of persistent threat. A server admin may notice continued bad authorization attempts from a specific IP, a receptionist may notice a stranger lingering around the entryway, or a HR employee may forward on suspicious emails that seem specifically targeted against the organization. In any of these situations, our employees can be a first line of defense, and prevent more serious exploits from occurring.

By integrating all employees as information security partners we not only improve the overall quality of our information security program, but we educate our employees to make better choices, both at work and home. By partnering with all our employees we add value to all sides. That sounds pretty good, doesn’t it?

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
Information Security
Policy Training Security Employees Information Security Infosec
Post Rating I Like this!
Terry Perkins I completely agree. Security can not be done in a vacuum. It is everyone's business. My experience has been that most people want to do the right thing. Sometimes they just don't know what that is. Great article.
Ken Major Robb,

your stealing all my Awareness 'schtick!

Just kidding! Excellent work.
Your article, like your overall point that the program should be targeted and concise, is spot on.
Robb Reck Thanks to both of you for taking the time to read and comment. Awareness isn't just for us security folks anymore!
Katie Weaver-Johnson Robb - great post!

I completely agree with you. General Awareness Training is good, but it isn't good enough...it is critical for organizations to provide ongoing and customized training to clearly define individual-level roles and responsibilities.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.