Building a culture with security at the heart

With the security perimeter shifting from the office to the home, security leaders must speak the language of the business to build the culture needed to protect their company and overcome the perception they are blockers of innovation


LastPass advertorial

As many employees are already, or soon will be, working remotely, organisations globally are implementing a variety of cloud-based solutions to support staff in adjusting to working from home. The primary goal is maintaining close to the same level of productivity as if they were in the office.

However, in a world of accelerated transformation and a shifting security perimeter, companies must ensure they have fit-for-purpose security solutions in place combined with an organisation-wide awareness programme.

Data breaches have become a lot more difficult to detect. Every opportunity is used by cybercriminals to gain entry, such as phishing emails that masquerade as important updates on topical and newsworthy items, including COVID-19. This means the focus now needs to be on employee awareness and behaviour. If employees aren’t vigilant, this can easily create vulnerabilities regardless of how much has been spent on security solutions.

“Tried-and-trusted methods of cyberattack, such as phishing and social engineering, are still the best way of gaining access and compromising a business, and they’re very much targeted at the individual and what that individual knows,” says Barry McMahon, senior international manager at LastPass by LogMeIn.

“That’s not to say the problem is between the seat and the keyboard as there is an onus on the business to make sure they put the right tools, processes and procedures in place. Unfortunately, that’s where many companies stop. The real value is realised when an organisation-wide culture of awareness and appreciation for security is aligned to existing solutions and processes.

“To build a security culture, you need to communicate with employees in a language they understand which, for the most part, is a non-tech language. Try to make it relevant to their personal life and then, by association, address the relevance to the business.

“Companies need to shift from a few employees doing a lot, to a lot of employees doing a little, and then continually improving on that and measuring the improvement along the way. If you can’t measure it, how can you demonstrate you are adding value by reducing the risk profile of the business?”

LastPass pull stats

Whether an employee is working from the office or remotely, the best security approach is to manage their digital identity and access methods as they login to the resources they need. But this must be done in a frictionless way. User experience is crucial to building a security culture and, if it is poor, employees will quickly find ways to circumvent the security measures in place. If user experience is good, employees will barely even realise those measures are there.

Many security teams face the additional challenge of being sidelined. While cloud solutions offer enormous value, they also allow line-of-business and department heads to bypass security teams if they perceive they are blockers of innovation and productivity, and then deploy the solutions on their own. This means the security or IT department is no longer the automatic gatekeeper of any technology deployed, which can create vulnerabilities and security blind spots they’re not even aware of.

Security teams therefore face the task of changing the perception not just of themselves, but of security as a whole within the business. This requires proactive communication and raising awareness of the value and credibility they add when they are involved. If they fail to change that perception, and line-of-business and department heads continue deploying technology in their own vacuum, it will be the security team’s problem when something is compromised.

Similarly, in line-of-business projects, security leaders need to position themselves as the experts who can enable projects to be secure by design. By positioning the security team’s involvement as a seal of approval, the line-of-business stakeholders can use this to demonstrate their project doesn’t expose the business to any unnecessary risk.

“If security teams are out of the loop, then from a top-down perspective it’s likely that senior leaders in the business just see them as a cost centre,” says McMahon. “This not only increases the exposure of the business to vulnerabilities and threats, but could also lead to the company losing talent from its security team. With talent in the security sector a scarce resource right now, if security professionals don’t feel valued, challenged and energised, they’re likely to search for a company where they will add value.”

Business leaders are unlikely to approve investment for something they can’t comprehend, so security leaders that talk in a language they understand will fare much better. It’s important to point out that the underlying security objective may not change, but how the organisation perceives the value security adds will rely heavily on how security leaders communicate its business value. By translating the value they are offering, from security language to business language, they can get the buy-in they need.

“That’s how they can start to change how they are perceived in the business and add more value, rather than being considered a blocker,” says McMahon. “Employees are the single largest vulnerability to a business, but the flip side is they’re also the single biggest security resource a company has. A security culture is achievable if employees are educated and made aware of why it’s important.

“Security leaders need to seize this opportunity which will elevate their profile, change perceptions and bring them back to the decision-making table. At LastPass, we work with companies to achieve that culture and protect their business in a more sustainable and evolving way.”

Organisations realise identity management is no longer their core competency given the variety of on-premise and cloud services employees and partners have and need access to. And with the high probability that the workforce will be based away from the office for the foreseeable future,  on-premise identity management solutions are not reactive enough to scale to meet the needs of a dynamic business. They need to work with a company that has identity management as a core competency.

“Many people are familiar with LastPass from a personal user perspective,” says McMahon. “In the corporate space, LastPass offers a compressive identity management solution combining enterprise password management (EPM), single sign-on (SSO) and multi-factor authentication (MFA).

“EPM goes a long way to eliminating password reuse, providing admins with detailed reports and policy controls, and employees with a secure vault accessible across all devices and browsers, which creates and stores strong, unique passwords for immediate use when required.

“For applications that are high use by a large portion of the organisation, leveraging SSO to put all the applications behind a single login window is best practice. And leveraging MFA adds an additional security layer that prompts users to validate they are who they claim to be. This can be done in a number of ways, such as via biometric request or other push notifications. This is all contained within one platform, so companies that come to LastPass can enjoy a complete identity as a service, or IDaaS, solution from one vendor.”

For further information please visit www.lastpass.com/identity