5 Key Strategies for Today's Security Team
“Data security is more complex than ever” may be the understatement of the year. Expanding connectivity and collaboration culture are increasing data security challenges at an exponential rate, but as a Silicon Valley tech company, our culture favors innovation. It is my role as a security leader at Juniper Networks to ensure that we manage security without impeding collaboration. Having this culture has helped to prepare Juniper so that we are able to maintain business continuity amidst a remote workforce, dependent on collaboration tools.
It is important to recognize that not all companies are in this same position. The COVID-19 pandemic pushed companies to work in new ways that rapidly accelerated these challenges. For security teams, it can sometimes feel like an endless game of whack-a-mole, just putting out a new fire each day and struggling to get a full grasp on the big picture. One of the biggest questions I hear when I talk to peers in security leadership is simply, “Where do we start? Where do we focus our attention to have the greatest effect?” There’s no easy answer, and there’s no magic bullet strategy that will instantly address every data security challenge. But here are the top five key strategies that I believe are most impactful for today’s security team.
1. Start with the fundamentals: Know where all of your data is
This isn’t some innovative secret. You need to know where all of your data is, including what devices and cloud collaboration platforms it resides in. Gaining visibility into data and its movement is paramount and should be where security teams begin.
Asset management is one approach to this and it’s something that everyone wants to do, but it’s a difficult, never-ending task. I always say, show me one non-regulated industry where a company has done asset management effectively and consistently, and I’ll buy them all drinks. The cloud just makes the challenge that much more complex. As anyone who has ever installed a CASB solution can attest, you have no idea how enormous your full ecosystem is until you start gaining visibility into the cloud.
While it’s not new or exciting, starting with the fundamentals (just knowing what data you have and where you have it) is still an incredibly powerful strategy. The complexity will undoubtedly be daunting at first. But once you know what you have, you can sit down and try to find opportunities to streamline, eliminate redundancies and move toward singular solutions. Then you can start moving toward a more mature level of security where you not only know what data you have, but where it lives on various assets and cloud collaboration platforms, and determine which data is business-critical.
Use your PII audit process to also identify IP
Here’s one place where I see a lot of organizations miss a big opportunity. A lot of companies are doing massive PII audits to meet increasing data privacy standards like GDPR or the new California data protection act that just passed. The security team should use this as an opportunity to identify intellectual property — collaborating with legal and IT to build in additional fields and get more out of that audit. For example, not just identifying which assets hold PII but identifying which assets hold source code, trade secrets and other IP. You should also identify the content creator, content owner and who has access to this valuable content. You’re going through this exercise anyway, so you might as well use it as an opportunity to gain the full visibility you need. As your security posture grows more mature, this information can feed into the security organization to allow you to do proper risk assessments and understand where your risk really exists. When an incident does occur, you’ll immediately know what risk it presents — and you’ll be able to investigate and respond faster.
2. Stop chasing the malicious insider
For most of my time in the security world, the storyline was “stop the bad guy from getting in.” We’ve all gradually recognized that it’s the insider threat that presents a bigger risk today. But now we’re all too focused on the storyline of the “evil insider.” If you’re going all-in on prevention, it’s almost impossible. A malicious insider is almost always going to find a way to defeat your controls.
Instead, it’s time we turn our gaze to the non-malicious insider, which is the much more pervasive threat. To accomplish this, it is critical to put tools in place so that you can monitor and see the movement of your most valuable data and files.
Find the high-risk triggers
The reality is that almost all insider threats start out as well-intentioned users. Internal events such as disciplinary action, a company re-org, putting in two weeks’ notice, etc, are pivotal moments where I tend to see increased risk to data derived from insiders. There’s a reason that the friendly, trustworthy guy in accounting has suddenly decided to sabotage the company — the key is identifying those triggers so you have context and can focus on those truly high-risk scenarios. And while you’re at it, don’t just examine the last two weeks of activity. You need to look back at least six weeks. Rarely do people move from “I think I want a new job” to “I’m leaving the company” in a week or two — that process takes weeks or months. It’s in this long term that most risky data exfiltration happens, not in the two weeks after they give notice.
Account for the accidental insider threat
The other reality is the vast majority of users who do something risky aren’t doing it maliciously. They just don’t realize what they’re doing will put the company’s data at risk.
Here’s an easy example: A veteran sales rep who is constantly on the road has been saving all his critical files to Dropbox for the past 5+ years. When he decides to take his career in a different direction, taking a job with a small, startup competitor, he follows all IT/HR/security protocols around turning in his devices and not taking files. But on his first day in his new job, he installs Dropbox — planning to use it for his mobile work life just as he has before. Because he didn’t manually delete all his old employer’s files from Dropbox, he’s accidentally brought all of those files with him into the new employer’s environment. He’s created a data exfiltration risk for his old employer and left his new employer’s security team with the headache of cleaning up his accidental data infiltration.
3. Help your employees do the right thing
The example I just gave leads to my next point—make sure you’re doing everything you can to help your employees help you. I started out doing investigations into employee data theft more than a decade ago and looking at the big picture from then to now, I can tell you that 99.9% of users want to do the right thing. But too many companies simply look at all employees as risks instead of allies. One of the easiest ways to mitigate insider threat risk is to trust your employees and give them the tools and training to be successful.
Here’s an actual example from my time at Juniper Networks. A few years ago, we recognized that millions and millions of files were going out the door into uncontrolled media every day. I was given the task of figuring out how to control that, and we spent a full year bringing in technical tools to control our data and gain visibility into data movement. Those technical tools and that visibility made a big impact, but at the end of the day, it will not prevent data from leaving. So the next phase of the campaign was educating people on the correct way to do things: how to identify what sensitive content looks like, where it should go, how to use it, how to keep it safer, etc.
Making it a two-way conversation
The most important part of that education campaign was making sure it was a two-way conversation. It’s really easy for a security team to talk in one direction to users — this is what you should do, what you have to do, here’s the policy, here’s the regulation, here’s where you’re failing…STOP.
The way to be successful in security, and really in anything in business, is to go to people and say, “What are your problems and how can we help?” Almost everyone you ask will tell you, “I absolutely want to protect the company, but I’ve got to do X, Y and Z.” So you can tell them what to do, you can ask them to follow policy, but at the end of the day, they’re not being paid for security — they’re being paid to get their jobs done quickly and effectively, in the smartest way possible. If you can sit down with users and say, “Tell me how you do things, and let’s figure out a way to not only protect the company but make you more effective in your job,” you’re going to have a tremendous head-start in success.
Embed data security in your exit process
Departing employees are a huge source of data risk. Again, most aren’t malicious, they just don’t realize what they’re doing is problematic. So building data security into your employee offboarding or exit process is a huge way to educate them on what they should be doing.
I like to pull a list of all an employee’s activities and just start with a friendly reminder to follow the guidelines. Don’t make it aggressive or hostile; it can be as simple as “Please make an effort to delete all company content that you have on any device or cloud storage location, and if you happen to come across content at a later date, please do the same.” I’m not an attorney, but this step gives you a lot more traction from a legal perspective if something does happen. More importantly, it’s an easy way to put departing employees on your side by making it easier for them to help you protect the company.
Keep security in the loop with HR, IT, legal
At Juniper Networks, my security team is really well plugged into legal and HR. We have a continual feedback loop where what we see helps change policy. That’s where the employee exit process came from — security seeing so many people taking content when they left, without realizing or intending to do harm. This is an important tip: if your security team is seeing risk or problems, make sure they’re communicating with HR, legal, IT — whoever — so your organization can holistically address the risk. If they don’t know, they can’t help you.
4. Help your employees solve their problems
Zooming out from helping an individual employee do the right thing, I want to talk about the importance of company culture. You need to work to make security a collaborative partner to the rest of the business — an ally instead of an adversary.
There’s a lot of talk about enabling “Silicon Valley culture.” It’s the let-your-employees-do-what’s-necessary mentality versus the traditional regulatory culture of setting rules for your employees to follow. The truth is you can have Silicon Valley culture and still have security. It’s all about relationships — working with executives, VPs and other key stakeholders to explain why security is important to what they do every day.
Understand cultural differences
Here’s a related tip: as companies become increasingly global and have remote users across geographies, it’s very important for security teams to understand how users in different cultures communicate. Users in some areas of the world do very little email, primarily communicating via chat apps like Whatsapp or WeChat. Now imagine mandating that a global workforce use one communication channel (such as email) and see what happens. Beyond creating cultural friction, the vast shadow IT environment will lead you to miss a lot of risk.
Be collaborative, not authoritarian
Like I mentioned earlier, it’s easy to fall into the conventional authoritarian relationship with users. The way I’ve been most successful in my career is by starting with “How can I help?” I have a security agenda, of course, but opening the conversation that way leads to success almost every single time. Make it clear you’re there to help stakeholders figure out how to work in ways that are more efficient, more effective and more secure.
5. Stay on top of “technical debt”
More and more security leaders are running into the problem of what’s called “technical debt.” Pick your favorite fast-growing Silicon Valley “unicorn” company and they are sure to be a prime example of technical debt. They blitzscale to grow as quickly as possible without worrying about upfront risk and use a variety of technologies (communication apps, device types, payment processing systems, etc.) across different regions. This approach helps a company outscale the competition and gain market share. At some point, the company pauses, looks around their technology landscape, and thinks “Oh, crap — how can we even begin to manage risk in an environment like this? How can we inventory systems and manage assets in order to have data visibility?” The reality is they can’t. Many of these companies are living on a security prayer, hoping that nothing serious happens.
COVID-19 forcing companies to rapidly scale remote work
Scaling remote work used to only be a problem for the fast-growing tech startups. But the global response to the COVID-19 pandemic forced many companies to make a sudden shift to remote work. If you suddenly have to enable most (or all) of your workforce to work remotely, you’re going to take the “blitzscaling” approach in order to adapt fast enough to survive. But this doesn’t have to lead to the “Oh, crap” realization.
As you’re going through a rapid scaling phase, it’s important to maintain visibility to all of the cloud collaboration platforms that data is flowing between. You can accomplish this by taking notes and embed documentation into your culture and processes. Get creative and crowdsource it. Have your users email you when they start something new or create a collaborative spreadsheet to help keep track. You’re not going to have time to do security in the best way possible. You do the best you can and you document everything that gets deployed, so you can circle back later. Once the dust settles and you begin to feel like you have control of things, you will have a huge head-start in addressing risk and you will know what you have to secure. If you don’t do this, you will just have a giant security black hole.
When times get tough, get back to basics
There are many challenges facing security teams. It’s tempting to try to find the magic-bullet technical tool that can instantly solve a problem. I’m a strong believer that the best bang for your buck when it comes to understanding data risk is in the soft controls. Preventative controls will save you when you do have a malicious insider incident or classified data exposure. But it’s the human-driven controls, driven by data risk intelligence that will go the furthest to reduce your risks. This includes data visibility, so you know what your environment looks like even if it is evolving at 5,000 miles per hour. Helping your people help you and educating them on how to do the right thing. And working to become a trusted partner to your users by framing the security conversation around how you can help them be better at what they do every day. It really brings the entire challenge full-circle: the biggest risks we face are fundamentally human in nature — and so are the most effective solutions.