Connect with us

Hi, what are you looking for?


Management & Strategy

Everyone is a Security Manager

Organizations Should Look for Ways to Involve Employees in Mitigating and Eliminating Threats Before they Happen…

Organizations Should Look for Ways to Involve Employees in Mitigating and Eliminating Threats Before they Happen…

If I have learned anything over two-plus decades in this industry, it’s that you can’t leave security as the sole domain of just a few and expect to be successful. As threats and vulnerabilities continue to evolve, it is incumbent upon organizations to empower all of their employees to take an active role in their own network security. There are still too many who mistakenly view security as a point-in-time activity rather than a process, leading to a breakdown in the level of vigilance needed in order to create an effective security culture.

So how do we combat this behavior and get everyone thinking more seriously about security? First, put the data in the hands of everyone. Security shouldn’t be a secret. While I fully understand and expect that certain aspects of protocols and architecture will remain confidential, this doesn’t mean that users shouldn’t be educated on security best practices and instructed on how to recognize and prevent malicious behavior. By doing this, you are encouraging a culture of better oversight and vigilance where all users feel enabled and compelled to act as though they were the security managers.

Employees As Security MentorsNext, place the emphasis for better security where it belongs, in the business unit and with the front line managers. Expecting security teams to decipher what is critical vs. non-critical data travelling across the network can be a recipe for disaster. While certain behaviors and patterns can emerge that will alert the security pros that something is amiss, those with intimate knowledge of what data should be exiting the company and with whom their employees should be communicating, can provide vital protection in preventing the loss of critical data. Better communication amongst the IT teams and the business managers is a must for companies serious about ramping up their security efforts.

Finally, stop treating security solely as a technology problem. Can it help? Of course, but relying completely on your security solutions to catch everything is a risky proposition. Let’s use a simple comparison to drive home this point. Would you create an important document and submit it relying only on autocorrect to catch any typos or mistakes? Of course not, during the creation of the document you would take great care in crafting it as close to perfect as possible using the built-in protections only as final form of review to prevent mistakes. The same approach should be taken to network security.

Employees should not have the attitude nor given the impression that it is okay to engage in risky online behavior because the company has technology in place to catch any problems. As I alluded to in my last column, The Human Side of Security, employees will always be the weakest link in the security chain. Training them to approach things through the lens of a security manager is the best first step that organization can take to minimize the number of threats the technology and security teams should be expected to mitigate.

A 2012 report authored by Booz Allen Hamilton titled, “The Vigilant Enterprise” discussed how security has become more complex than simply relying upon technology. The report (PDF) states: “Simply building stronger firewalls and other perimeter defenses is insufficient. Cybersecurity’s multi-dimensional challenge requires a comprehensive management approach to enable an enterprise to oversee and coordinate all elements of cybersecurity, including policy, operations, technology, and people.”

Technology, as important as it is, continues to represent only one-quarter of the security puzzle. Organizations that are serious about security are recognizing that it’s the way in which they conduct their operations and how their people act that will ultimately define the success of their security programs.

Advertisement. Scroll to continue reading.

Essentially what I’m advocating for is an organizational approach to a cyber-neighborhood watch program. A quick check of the site tells us that a neighborhood watch program is a crime prevention program that stresses education and common sense. It teaches citizens (or in our case Internet users) how to help themselves by identifying and reporting suspicious activity in their neighborhoods (networks). In addition, it provides citizens/users with the opportunity to make their neighborhoods/networks safer and improve the quality of life. Neighborhood watch groups typically focus on observation and awareness as a means of preventing crime. And just as police advise with actual watch groups, don’t take matters into your own hands, call the police if you see something suspicious. I would say, be vigilant, and call in the security professionals when you notice something that isn’t quite right. But by everyone being aware, you are making that job that much easier.

I would encourage all organizations to rethink their approach to security. Rather than focusing on employees as the problem and IT as the solution, look for ways to involve your users in mitigating and eliminating threats before they happen. A measure of education and a bit of empowerment amongst the user base can go a long way in unlocking the security manager in all of them.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.