“The Department of No”: The Challenges and Risks of Building a Cybersecurity Program | Expert Series
January 20, 2024 · 6 min read Expert SeriesCISOInfoSec
IT security leaders are often defined in binary terms: they’re either blockers or enablers. On one side sits the cybersecurity function of old, characterized by a culture of dictating to the organization what it can and can’t do. On the other is a more progressive approach that takes the productivity and usability needs of employees into account, and takes time to engage with them in a more consultative manner.
In reality, corporate cybersecurity is never quite so binary. But it’s increasingly important for CISOs to consider what their approach should look like. And the experts Philip Eller, CEO of AccessOwl, spoke to agreed: creating the right culture is the key to success — and even a department of “yes” needs to have some red lines for policy enforcement.
Understanding the CISO “sweet spot”
There’s no question that finding the right balance between blocking and enabling benefits everyone. CISOs who fail to do so could find themselves alienating a lot of users, with potentially serious consequences. One study claims that 64% of employees are likely to leave a new job within the first year after a negative onboarding experience. Another reveals that 85% of business decision-makers believe that security policies are affecting remote employees’ ability to do their jobs. That’s bad news, considering that 71% of these decision-makers claim that the ability to work from anywhere has become critical to winning the battle for talent.
For Callsign CIO Adrien Pujol, the calculation involves security, agility, and cost efficiency. The challenge is that the CISO has to make tough choices about which to prioritize — because it’s not possible to give each factor equal weight. To compound this challenge, the landscape is continuously evolving.
“I keep going back and forth to try and find the sweet spot,” Pujol tells Eller. “But the thing is that the sweet spot is not fixed; it changes all the time, depending on emerging threats and new technologies. AI, for example, introduces a lot of new, interesting challenges to solve.”
The sweet spot will likely vary depending on a number of criteria specific to the CISO’s organization. A small company of fewer than 100 employees may lend itself to a more informal and trusting approach, Pujol argues. But larger organizations will often suffer a “communication breakdown,” which requires more formalized rules. The company’s location, and the cybersecurity expertise and maturity of its staff, may also play a part in how strict these rules need to be, he adds.
The shadow IT challenge
A common argument for taking a more consultative approach is that putting up barriers will only drive greater shadow IT, which ultimately creates more risk for the organization, as it means apps and services are used in an unmanaged way. Typeform CISO Aristotelis Gkortsilas argues that employees will always look for workarounds unless security leaders take more time to understand how they want to work.
“We talk about ‘people, process, technology,’ and the sequence matters. So you need to understand how your people interact before you start establishing processes. And then you can bring technology to help improve efficiencies,” he tells Eller.
“Most security professionals will start from the technology. They may tackle some elements of people with training and awareness, but they will completely disregard the process of how people interact with technology and with each other. That’s where you see the friction.”
Human error or negligence can also impact whether the CISO leans into being a blocker or an enabler, according to Tim Dzierzek, a former VP information security and CISO at Smarsh.
“There are concerns that somebody’s trying to do the right thing but does it in a wrong way — like they’re trying to get somebody access to something and they go, ‘Oh, I’ll just add them real quick [to an account],’ and then they forget to remove them,” he explains to Eller.
“It really just takes one malicious person to stumble upon that, and then [that person] has access to critical resources and/or resources that they shouldn’t have, and most of the time that’ll hurt you the worst.”
The department of no — or yes?
Against this backdrop, Typeform’s Gkortsilas believes that creating the right culture is key. It will define the kind of approach the cybersecurity function takes when creating and enforcing policy, he believes. Gusto Product Security Engineer Breanne Boland believes that the CISO should take on the role of a lifeguard: allowing employees to do what they need to in their daily roles, but stepping in when things potentially get dangerous, so that “no one gets hurt.”
In practice, she explains, this could mean:
Explaining why certain actions are prohibited and offering alternatives.
Ensuring that interactions with staff are pleasant and personal, not formal and confrontational.
Following up afterwards to see whether the employee needs any more information, and how the security team could have handled it better.
Focusing on education, so that “people talk to security and always come away knowing something they didn’t know before.”
Putting employees at their ease by cultivating “warm and familiar friendships,” so they feel comfortable reaching out. “If someone doesn’t tell us something because they didn’t want to bother us, or they’re afraid of some kind of adverse reaction, it means we failed.”
Ross Stapleton-Gray, Director of Information Security at StreamSets, agrees with Boland.
“You want an infosec team to be the party that the victim turns to and says, ‘I need help if they can help me.’ Rather than ‘I’ve screwed up, I cannot let them see me,’” he reasons.
But even in an organization where security seeks to put employees at their ease, there need to be some red lines, especially in heavily regulated areas such as personally identifiable information and protected health information (PII and PHI), Boland acknowledges.
“Being a company that does payroll, we are entrusted with so much information. We take that incredibly seriously. So, yeah, I’ve written procedures and playbooks around that,” she explains. “That’s the strictest thing that we govern. And we try to just bolster it with lots of supporting information, documentation, and resources to check with if the docs don’t cover an edge case.”
Callsign’s Pujol agrees, especially if client organizations demand stricter processes and evidence of regulatory compliance, as his firm’s banking customers began when the company was expanding.
Building security by design
Ultimately, no two organizations are the same. That means CISOs have to adapt to their own particular set of circumstances when deciding where the balance between security and productivity or agility should lie. For Typeform’s Gkortsilas, once the baseline policies are in place, the job of the CISO should be to build a security-by-design culture in the organization. That means trying to get employees to instinctively understand and eschew risky actions, just as they would in their personal lives.
“The biggest problem is the disconnect between what people do in their work life and the consequences of that,” he concludes. “The only way you can actually make an organization secure is by changing the way the organization operates.”
