Building a culture with security at the heart

With the security perimeter shifting from the office to the home, security leaders must speak the language of the business to build the culture needed to protect their company and overcome the perception they are blockers of innovation

As many employees are already, or soon will be, working remotely, organisations globally are implementing a variety of cloud-based solutions to support staff in adjusting to working from home. The primary goal is maintaining close to the same level of productivity as if they were in the office.

However, in a world of accelerated transformation and a shifting security perimeter, companies must ensure they have fit-for-purpose security solutions in place combined with an organisation-wide awareness programme.

Data breaches have become a lot more difficult to detect. Every opportunity is used by cybercriminals to gain entry, such as phishing emails that masquerade as important updates on topical and newsworthy items, including COVID-19. This means the focus now needs to be on employee awareness and behaviour. If employees aren’t vigilant, this can easily create vulnerabilities regardless of how much has been spent on security solutions.

“Tried-and-trusted methods of cyberattack, such as phishing and social engineering, are still the best way of gaining access and compromising a business, and they’re very much targeted at the individual and what that individual knows,” says Barry McMahon, senior international manager at LastPass by LogMeIn.

“That’s not to say the problem is between the seat and the keyboard as there is an onus on the business to make sure they put the right tools, processes and procedures in place. Unfortunately, that’s where many companies stop. The real value is realised when an organisation-wide culture of awareness and appreciation for security is aligned to existing solutions and processes.

“To build a security culture, you need to communicate with employees in a language they understand which, for the most part, is a non-tech language. Try to make it relevant to their personal life and then, by association, address the relevance to the business.

“Companies need to shift from a few employees doing a lot, to a lot of employees doing a little, and then continually improving on that and measuring the improvement along the way. If you can’t measure it, how can you demonstrate you are adding value by reducing the risk profile of the business?”

LastPass pull stats

Whether an employee is working from the office or remotely, the best security approach is to manage their digital identity and access methods as they login to the resources they need. But this must be done in a frictionless way. User experience is crucial to building a security culture and, if it is poor, employees will quickly find ways to circumvent the security measures in place. If user experience is good, employees will barely even realise those measures are there.

Many security teams face the additional challenge of being sidelined. While cloud solutions offer enormous value, they also allow line-of-business and department heads to bypass security teams if they perceive they are blockers of innovation and productivity, and then deploy the solutions on their own. This means the security or IT department is no longer the automatic gatekeeper of any technology deployed, which can create vulnerabilities and security blind spots they’re not even aware of.

Security teams therefore face the task of changing the perception not just of themselves, but of security as a whole within the business. This requires proactive communication and raising awareness of the value and credibility they add when they are involved. If they fail to change that perception, and line-of-business and department heads continue deploying technology in their own vacuum, it will be the security team’s problem when something is compromised.

Similarly, in line-of-business projects, security leaders need to position themselves as the experts who can enable projects to be secure by design. By positioning the security team’s involvement as a seal of approval, the line-of-business stakeholders can use this to demonstrate their project doesn’t expose the business to any unnecessary risk.

“If security teams are out of the loop, then from a top-down perspective it’s likely that senior leaders in the business just see them as a cost centre,” says McMahon. “This not only increases the exposure of the business to vulnerabilities and threats, but could also lead to the company losing talent from its security team. With talent in the security sector a scarce resource right now, if security professionals don’t feel valued, challenged and energised, they’re likely to search for a company where they will add value.”

Business leaders are unlikely to approve investment for something they can’t comprehend, so security leaders that talk in a language they understand will fare much better. It’s important to point out that the underlying security objective may not change, but how the organisation perceives the value security adds will rely heavily on how security leaders communicate its business value. By translating the value they are offering, from security language to business language, they can get the buy-in they need.

“That’s how they can start to change how they are perceived in the business and add more value, rather than being considered a blocker,” says McMahon. “Employees are the single largest vulnerability to a business, but the flip side is they’re also the single biggest security resource a company has. A security culture is achievable if employees are educated and made aware of why it’s important.

“Security leaders need to seize this opportunity which will elevate their profile, change perceptions and bring them back to the decision-making table. At LastPass, we work with companies to achieve that culture and protect their business in a more sustainable and evolving way.”

Organisations realise identity management is no longer their core competency given the variety of on-premise and cloud services employees and partners have and need access to. And with the high probability that the workforce will be based away from the office for the foreseeable future,  on-premise identity management solutions are not reactive enough to scale to meet the needs of a dynamic business. They need to work with a company that has identity management as a core competency.

“Many people are familiar with LastPass from a personal user perspective,” says McMahon. “In the corporate space, LastPass offers a compressive identity management solution combining enterprise password management (EPM), single sign-on (SSO) and multi-factor authentication (MFA).

“EPM goes a long way to eliminating password reuse, providing admins with detailed reports and policy controls, and employees with a secure vault accessible across all devices and browsers, which creates and stores strong, unique passwords for immediate use when required.

“For applications that are high use by a large portion of the organisation, leveraging SSO to put all the applications behind a single login window is best practice. And leveraging MFA adds an additional security layer that prompts users to validate they are who they claim to be. This can be done in a number of ways, such as via biometric request or other push notifications. This is all contained within one platform, so companies that come to LastPass can enjoy a complete identity as a service, or IDaaS, solution from one vendor.”

For further information please visit

Changing hearts and minds

LastPass boxout

One of the greatest challenges enterprises face in safeguarding their business is encouraging the right behaviours among their employees

Pinsent Masons

International law firm Pinsent Masons has developed a human-centric approach to security to help protect the future of the organisation through education, transformation and trust.

Central to this approach has been an acceptance by the firm that people will typically be more interested in safeguarding their own digital lives than the company they work for. Rather than challenge this mindset, Pinsent Masons has sought to tap into it to develop behaviours that benefit the business as well as employees in their personal life.

An area where the mindset is most evident is passwords. Remembering numerous passwords, or having to change them frequently, can not only be frustrating to staff, but often counterintuitive to security if people write them down or only change them slightly each time.

Recognising this, Pinsent Masons turned to LastPass’s enterprise password management (EPM) solution to ensure its employees had a secure way of storing their passwords in a vault that requires just one password to be accessed.

To bolster Pinsent Masons’ vision to enable staff to follow this way of working, LastPass has provided each employee with a personal LastPass Premium account for use in their personal lives alongside the enterprise installation. This is key to encouraging the right behaviours.

“Our ultimate goal is to ensure our people are at their most secure wherever they are,” says Christian Toon, chief information security officer at Pinsent Masons. “With LastPass, we've been able to procure an enterprise password manager that has given a personal benefit to our employees as well as value to our firm. The onboarding LastPass provided has also been excellent.

“Password managers are still quite new to many organisations, so culture change is required to bring people on board. LastPass has been supportive in resource, but also in personnel and content to help us get those hearts and minds where they need to be.”

Another major threat vector in the legal sector is phishing, which firms such as Pinsent Masons have historically tackled by measuring click rates on suspect emails. Pinsent Masons was seeing little results from the approach and the perception among employees that the security team is trying to catch them out can perpetuate a divide.

Our ultimate goal is to ensure our people are at their most secure wherever they are

In 2017, as part of their efforts to build a human-centric security culture, Toon and his team decided to flip the approach by instead urging people to report suspicious emails and measuring based on that. To encourage employees to feel confident and comfortable in reporting such emails, they embraced gamification by producing league tables showing which departments were the most prolific.

“Our reporting has gone through the roof because people are now more aware,” says Toon. “It's a great example of how changing our language and approach can have a huge benefit. The culture we’ve built means people feel safe and comfortable talking about security, escalating it and allowing us to deal with it.

“That’s helped no end not just in terms of security, but also our reputation internally. We're no longer seen as blockers or the sales prevention team or the people who say no. We're an integral part of the firm’s growth because the business can continue doing what’s needed to support clients and we know they’re doing it securely because we're involved in those conversations.”

Human-centric security is the growing trend within many verticals. And while digital transformation brings new technology and greater productivity, some risks haven’t changed, such as phishing and social engineering.

“Our human-centric security policies are all about making security work better with and for people,” says Toon. “It's very much front and centre of our employees' lives when they're at work and when they're at home. Fostering the right behaviours and continuing on this human-centric journey with LastPass has reduced the risk to our business in a way that benefits everyone. It’s a win-win.”

Also found in sponsored