I. INTRODUCTION: Data security in the era of open collaboration
The meteoric pace of change
There’s no way to ignore it: work has changed dramatically. What was once a locked-down culture of closed conversations and highly structured, closely-held data, is now one of collaboration and openness.
This new default to shared information, ideas, and conversations makes work faster, more productive, and more effective. Quick, transparent decision-making is now the modus operandi for many organizations. And it’s all supported by a new wave of agile teamwork tools like shared cloud file storage, messaging apps, and collaboration platforms.
Securing data in the era of collaboration
Against the dramatic change in our collective work culture, one thing has not changed: the paramount need to protect your intellectual property. Your company’s trade secrets. Its ideas.
Unfortunately, today’s data security stacks were designed and optimized for the old way of working. They were built to capture intruders and block data movements.
Strategies like data loss prevention combined with inflexible data access policies can’t appropriately protect data in today’s open, collaborative, and even remote workplaces. False positives can leave users frustrated by interrupted productivity, while the security team is limited in its ability to prevent data leaks. Such rigid approaches can even leave companies in a more vulnerable position through a false sense of security.
A missing voice
It’s ironic that, as companies strive to be more collaborative, they invariably leave a critical voice out of the transformation team: the security leadership. Security experts need to be leading the charge on safe, open collaboration. They’re the catalysts that can enable responsible sharing, propel change and allow organizations to thrive in this new normal.
It’s time for the mobilizers – in HR, legal, IT, and the board – to bring the CISO to the culture table. Leaving them in the wings merely perpetuates the traditional adversarial relationship between security teams and business units. That’s a guaranteed obstacle to a truly open, collaborative culture.
This guide is about an approach to data security that’s optimized for the new era of open collaboration. Not surprisingly, the method is also built on collaboration — between security leaders and colleagues from across the business.
Successful security in today’s world cannot succeed alone, in a vacuum. It’s essential for security teams to work closely with non-security leaders. This will create a better understanding of what those teams currently use or would like to use to store and share data to enable them to continue to move quickly.
II. IT’S A PEOPLE THING
It’s common to assume cyber security strategy needs to focus only on outsider threats: hackers working tirelessly to make their next malicious attack from outside the company walls. While this is still a consideration, more and more data security breaches today are created by insider threats. And that makes it a people issue as well as a technology one.
Another misconception is that fighting the insider threat means asking employees to distrust each other and ‘snitch’ on colleagues. On the contrary, the best insider threat strategies stress openness and transparency, supporting a culture of trust while keeping a responsible eye on data movements.
The challenge is to enlist every single employee in the data security effort, showing why it’s so important, how it’s critical for enabling open collaboration, and how their behaviors can make a huge difference.
The goal is to get every employee to understand their collective job as ‘human firewalls’. Put simply, all employees need to be part of the security team. It’s about fostering a spirit of collaboration and openness plus security awareness that turns each employee into a crucial line of defense for the business.
Awareness and training
From the first day an employee starts work, this ethos of collaborative security should be introduced through training. Greater awareness and education should be supported by policies, processes, and technology. But, above all, it’s a people-led approach. Security can be a sensitive subject; tech alone can’t handle the nuance of collaborative work in a complex, cloud-powered world. Emotional intelligence is paramount here, as are all areas of the business working in unison. Departments can’t be singing from their own song sheet with separate data security strategies. Collaboration with leadership across the entire company is vital if data security is to be a business enabler.
III. YOUR COLLEAGUES IN THE NEW DATA SECURITY LANDSCAPE
A secure, collaborative culture starts with the people who see across the whole business and are responsible for the employee experience: especially IT, legal, compliance, HR, and the board – all working in tandem with security.
When these stakeholders are aligned, they can send one set of messages to all employees. Clear, consistent policies and processes that balance the needs of all stakeholders also signal a unified management team that values employee experience, collaboration, and security as business-critical and inseparable.
Success in this respect requires an understanding of the stakeholders involved, getting to know their priorities and departmental motivations.
Here’s a quick overview of the key stakeholders and their relationship to data security. Collaborating means understanding each other’s agendas.
HR WANTS A GREAT EMPLOYEE EXPERIENCE
- Responsible for hiring, onboarding, developing, retaining, and keeping talent safe
- Security teams can work with HR to weave data security into the whole employee lifecycle, so it’s just a natural part of working
IT WANTS TO POWER THE BUSINESS WITH THE BEST TECH
- Helping choose, deploy, manage, support, and secure the networks, systems, and apps of work
- Security and IT must collaborate to cater to the imperatives of scalability and manageability, working hand-in-hand to secure work
LEGAL / COMPLIANCE WANTS TO PROTECT THE BUSINESS FROM RISK
- Complying with all regulations and reducing exposure
- Security and compliance go hand-in-hand. Getting the right processes and tech in place can make compliance much easier and more transparent
BOARD LEADERS HAVE THEIR OWN METRICS OF SUCCESS
- Wanting to achieve overall business goals and help accelerate transformation
- It’s time for security teams to show how a culture of data security aligns with the most strategic goals in the business
INTERNAL COMMS WANT EVERYONE ON THE SAME PAGE
- Responsible for all communication with employees
- This is where a culture of security gets broadcasted as part of the overall culture
Together, department leaders and employees create a human shield for the company. This arms it against cyber security threats and allows productivity to be a priority.
IV: 7 TIPS FOR COLLABORATING TO IMPROVE DATA SECURITY
1. It starts on day one
As soon as an employee is onboarded, their own data security journey begins. First, the employee needs to buy into the importance of data security—to understand that lax practices compromise the company’s competitive advantage and jeopardize the open work culture.
Onboarding should cover everything from phishing attacks to device security and cloud sharing, as well as the company’s policies and processes. In this way, the employee is set up for success and knows their role in upholding the ‘human firewall’.
2. A holistic approach
To be effective, a cyber security strategy embraces all teams and stakeholders in the company. The main mobilizers – HR, IT, legal, compliance, and the board – need to unite around policies, processes and language.
The story should cover safe data sharing, reporting, escalation paths, and consequences. And it will need to be drip-fed to employees on a regular basis through communication and training—it can’t just be a ‘one and done’ session.
To keep employees interested, vary the channels of communications to include: Slack, email, video, or face-to-face meetings – these different formats will help fuel engagement.
3. Run lunch and learns
Each team has its own data security considerations and its own software stack to secure. Get small groups together to put the data security story into their specific context. One day you might bring a marketing team together to learn about access and sharing settings in Google Docs. Another might be a pizza-fueled session with product engineers on how to safely share source code with external contractors.
4. Think like a coach, not a cop
An effective secure culture is not a blame culture. It’s about working together to secure the company’s assets and make open collaboration possible.
The more proactive you are as a leadership team, the less you’ll find yourself ‘busting’ people. And the more you help employees understand the importance of data security, the more likely they’ll be to join the effort instead of trying to skirt around it.
The key is to keep lines of communication open. You want people to share with you, not hide things. Tone matters: keep things positive, light and clear.
5. Be transparent
Since deterrence is better than a ‘gotcha’ approach, you want everyone to know about the tools you have in place to monitor data movements.
Be transparent about the tools that security is using to protect against data leaks. Make it clear that anything on an employee device belongs to work: that the business can look at anything at any time.
Hiding your monitoring tools may harvest more ‘arrests.’ But transparency dramatically reduces the incidents you’re trying to control for (with the “us vs them” mindset).
6. Make people central to insider threat response
Just as people are the front line of data security, they also must be the front line of your response to any data leak incident. A human approach will always beat an automated process that can trigger over-reaction.
When a breach does occur, the security team simply uncovers the risk and alerts HR, IT or the business manager. The first step is to talk to the employee — in most cases, it’s an innocent mistake that’s easily rectified.
Start conversations assuming positive intent and use the conversation to identify training opportunities for all employees.
7. Enable your investigators
Investigating a data breach incident depends on understanding the context. What exactly was inside the leaked files? Where was it sent? What’s the potential business impact of the leak? How likely is it that the intent was malicious? Has the compromised data actually been accessed?
To answer these questions, give your investigators the tools to see all suspicious data movements and to look inside the actual files leaked, instead of simply judging by the (easy to change) file name.
A veggie lasagne recipe sent to a family member is not the same thing as your entire source code base being taken to a competitor. Focus your investigation resources where it matters most.
The bottom line: Start your cybersecurity practices on day one and permeate the data security story throughout the whole organization. Open collaboration is only possible if people are an integral part of your security response.
V. CONCLUSION: Collaborative data security is built on trust
An empowering culture
An open collaboration culture is hugely powerful — but it does carry risks. If the security team isn’t part of the enabling force, and all departments, employees, and leaders are not enlisted, this culture can wreak havoc on security. What’s more, insider threats will continue ungoverned, and you could be facing legal actions, regulatory fines, and lost business. But if the security team is engaged as a full partner, collaboration can coexist with protection, without compromising work styles.
Trust, above all
If your highly important files carry your competitive advantage, then you need to enlist every single person that works in your company. It’s all about trust; between you and your stakeholder colleagues and between the team and all employees.
Technology alone can’t solve this. It takes people, process, policy, and tech to support this new, collaborative approach. Done well, open collaboration can create exciting opportunities and powerful potential for businesses, making them fit for the future.