Manifestos have been around for centuries but seem to have become trendy lately. Originally manifestos were used by political parties or candidates to publicly declare policies, goals, or opinions before an election. More recently, manifestos have gone mainstream and are used by companies, individuals, and groups to promote better work and life habits. There are even articles and blogs devoted to collecting inspirational manifestos or teaching us how to write a manifesto.
But when I started thinking about the idea of a “Security Manifesto” it was with the original intent in mind. As I wrote in my previous column, security needs to become a boardroom discussion, and having members with technology and cybersecurity expertise at the table is the only way for this to happen effectively. Today’s CISOs are candidates in the midst of a campaign, striving to ascend even higher in the organization: to the boardroom. Every candidate needs a platform upon which to run, and that’s where the manifesto comes in.
CISOs need to be prepared to answer hard questions: How do I make my security team the first point of contact for the business when potential security issues arise? How can I ensure my team has the tools and visibility to determine what security issues are most relevant, and require action? And how do I keep users—the key to business success—safe, and not just when they are working onsite?
A Security Manifesto can prepare CISOs to address these questions based on a core set of security principles. To help CISOs develop a manifesto, below are five principles that can serve as a baseline as they strive to become more dynamic in their approach to security, and more adaptive and innovative than adversaries:
1. Security must be considered a growth engine for the business. Security should never be a roadblock or hassle that undermines user productivity and stands in the way of business innovation. Yet security teams impose technological solutions that do exactly that. A primary reason: they are not invited in time, or at all, to discussions about business projects that require the deployment of new technology. However, security professionals are also guilty of waiting for an invitation they may never receive. They instead must take proactive steps to ensure they are involved in technology conversations, and understand how security processes can enable the organization’s agility and success, while also protecting its data, assets, and image.
2. Security must work with existing architecture, and be usable. Security teams should not have to create or re-build an architecture to accommodate new technology solutions that are meant to improve security. Organizations should not have to change the way they do business to accommodate new security technologies, or be prevented from making changes in how they operate because of the technologies they already have in place. The end result of “architecture overload” is that users will circumvent security architecture, leaving the organization less secure. In addition, if a security technology is too difficult for users to understand, and must be maintained by hard-to-find, specialized security talent, it is not useful to the organization.
3. Security must be transparent and informative. Users should be presented with information that helps them understand why security is stopping them from taking a particular action. They also need to know how they can do what they want to do safely, instead of bypassing security in the name of doing their jobs. As an example, when a user attempts to access a web page and is met with the message, “Access to this site has been denied by your administrator,” there is no context as to why they can’t access the page. But if the message said, “Access to this site has been denied because it has served malware in the last 48 hours,” the user would be better informed and understand the potential risk not only to the organization, but to them, as an individual user. Security technologies also should help users to achieve their goals safely through clear recommendations or by directing them to appropriate resources for timely assistance.
4. Security must enable visibility and appropriate action. Security solutions with open security architecture enable security teams to determine whether those solutions are truly effective. Security professionals also need tools for automating visibility into the network so they not only can see traffic, but also the assets that make up the network. By understanding how security technologies operate, and what is normal (and not normal) in the IT environment, security teams can reduce their administrative workload while becoming more dynamic and accurate in identifying and responding to threats and adapting defenses. In taking this approach security teams can take full advantage of more relevant and targeted controls to aid in resolution.
5. Security must be viewed as a “people problem.” A technology-centric approach to security does not improve security; in fact, it exacerbates it. Technologies are merely tools that can enhance the ability of people to secure their environment. Security teams need to educate users about safe habits that they should apply no matter where they are using technology—at the office, at home, on the road—so they can make good decisions and feel empowered to seek timely assistance when they think something is wrong. Improved dialogue between security professionals and users will also help users see that technology alone cannot assure security. People, processes, and technology, together, must form the defense against today’s threats. Commitment and vigilance by all users in the organization, from the top down, empower security success.
A Security Manifesto outlines how security technology, policies, and best practices should be used to raise the average level of security for everyone in the organization. With strong principles to guide them, everyone across the organization – users, security practitioners, and business leaders – can see the “big picture” on security and work together to understand and minimize risk while advancing the business.