Over the years, I have met with hundreds of security teams. One of the most common complaints, that comes up in meetings with companies of all sizes and across all industries, is that security teams feel helpless to enforce the policies they put in place. Multiple security officers have described it as feeling like “cops without handcuffs.” Upon flagging serious incidents of rogue IT staff and acceptable use violations, I’ve been met with shrugs instead of surprise.
Security policies exist for a reason, but unenforced they’re not valuable to anyone – updating them takes time and resources away from already strained teams and arbitrary rules don’t make employees happier or more productive. Given the challenges to enforcement, what role do these policies play in a security team’s toolkit? And what needs to change to make security teams able and willing to enforce policies?
Why Bother?
Widely accepted as a best practice amongst cyber security professionals, internal security policies are a critical element of a strategic and proactive cyber security program. Employees not on the security or IT teams possess limited knowledge of the cyber security challenges facing corporations and the risks their actions may pose to the company. Educating employees about these risks and challenges is a fairly easy way for an organization to minimize its risk profile.
Policies don’t prevent mistakes. We can’t expect a document or quarterly security training to change everyone’s bad habits or prevent employees from ever falling for a phishing attack. However, by limiting what applications employees can use, laying out protocols for connecting to non-corporate Wi-Fi networks, and instructing employees on the potential risks of rogue USB devices, companies can reduce the number of employees involved in these behaviors, thereby reducing the risks created by these activities.
Complacency and Complexity
At this point, it seems many employees are complacent and don’t fear breaking policies, specifically because they aren’t enforced. As increasingly fewer people follow restrictions and regulations, it becomes too complicated or costly to enforce them. On the flip side, it’s possible that it could be security teams who are complacent when it comes to enforcement. A set of policies might be put in place to appease executives or board members, but an IT team not supportive of the initiative could have no actual intention of implementing them.
Another possibility is that inconsistencies in enforcement create a situation where no enforcement seems like a better decision. Imagine a situation where one employee was written up for using a non-approved cloud storage platform, but he/she knows that numerous other employees are also using it and aren’t being punished. This would serve only to create resentment towards the security team and would do little to dissuade the employee from using non-approved software and services in the future.
Finally, it could be the complexity of modern networks posing a challenge. Most employees have multiple corporate devices, Cloud and SaaS applications create more areas of the network that need monitoring, and BYOD further expands the attack surface. While not impossible, it may be too challenging and complex for security teams to enforce these policies on top of their other responsibilities and without affecting business productivity.
A Shared Responsibility Model
One of the greatest successes of effective policies and effective security teams is that they make security a company-wide responsibility. Security teams need the ability to enforce policies when necessary, but they also can’t spend all their time chasing down employees breaking the rules. That’s why it’s critical to do two things: ensure you have a way to easily monitor employee activity, and shift responsibility for the company’s security into the hands of every employee and team.
You can’t enforce what you’re not aware of, and while some might raise concerns over privacy, there are sophisticated security tools that can provide visibility into employee activity without raising privacy concerns. Tools are able to identify suspicious activity without diving into the contents of emails or documents, but instead by mapping out normal behavior for every employee. Visibility can help ensure that policies are enforced equally, would enable quick, autonomous action when policies are being broken, and can ensure that senior staff, whose actions can have the largest impacts, are also held accountable.
One CISO that I recently spoke with told me that the biggest benefit of gaining visibility into his network was the open lines of communication it had created between employees and his security team. He said now employees know that someone on the security team is monitoring their network behavior. Upon breaking policy, they’ll expect to get an email from his team explaining the risks and asking for their support in the future. He described it as helping him to create a “culture of compliance” within his organization.
As a company begins to enforce security policies and hold employees responsible, the policies that once may have seemed meaningless will start to be valued and respected. Over time, holding people responsible will lead individuals to see how their actions impact the security of the organization and come to consider themselves responsible for the security of the company. This is the larger success, leading to not just fewer policy violations, but to an overall more secure organization.
