In medical treatment there is a concept of an "adjuvant" — an agent that enhances the effect of other agents. It’s not the cure, but it helps the cure be more effective. Adjuvants are added to medicines to enhance their responses and lengthen their effect. We can use this same concept for security work.
How does this work? Security already taps other departments to help with an organization’s security mission. It’s time we recognize that a strong performance by these folks can be a force multiplier. For example, personnel in QA, the IT Help desk, IT Operations, and Human Resources are already pre-approved to do security work. What you need to do is reinforce and extol their efforts. Yes, they will probably do an adequate job without help, but it’s to your advantage to invest in these adjuvants to be more effective and influential in their security work.
What Can a Security Adjuvant Do?
The key is to have adjuvants breathe life into your security controls, so they become integrated into the organizational culture. In many ways, they act as part of the security team to ensure that security policy and process is followed. Because adjuvants are not part of the security team, they have a unique perspective that straddles both security and business goals. When security processes fail, security adjuvants can help diagnose problems. They are also able to double-check that security processes are working as intended—that is, even if the process is being followed, is it meeting the goal? Because of this unique perspective, they can also help bridge the gap between aspiration (the policy) and the execution (the reality).
Enough with the theory, let’s look at how security adjuvants work, beginning with one of the humblest but most essential roles in IT.
IT Help desk
The IT help desk is the front line for security. As the single point of contact for users, it’s the first place they turn to with questions and complaints. Therefore, security needs to provide the help desk with a clear process to follow and open communication paths to resolve questions. The help desk needs a fast escalation path to security to ensure developing situations are spotted early and contained. You want to know right away if a phish has been clicked or a malware outbreak is in progress.
The sysadmins are likely to have more knowledge about specific attacks, vulnerabilities, and technical controls than some on the security team. Since sysadmins work with the firewalls, authentication servers, security logs, and encryption systems, they can give expertise to the security team. I’ve always considered it the security team’s job to provide tools and guidelines to help the sysadmins. Sysadmins are also able to give good feedback on why a proposed security change may negatively affect operational stability. They are also often aware when something doesn’t look right, either in a suspicious log entry or how a system is behaving. These are the times when you want sysadmins to be very willing to consult with Security to help in the investigation.
The Quality Assurance (QA) team is a great ally for security. Not only do they find the bugs that can lead to security vulnerabilities, they can also frame the fixes in a broader context of improved product quality. Often security holes are dismissed as the security team crying that the sky is falling. When QA flags them, vulnerabilities can be tied to customer experience. This means that QA teams should have a strong understanding of the application threat models. They should also be provided with a method of testing security vulnerabilities, either directly by demonstration or indirectly from test scripts that can be integrated into the test suites.
Outside the technical areas, Human Resources (HR) often is involved in security matters. When new employees are on-boarded, security needs to make sure these employees are educated on security policies and procedures. HR often can help facilitate both policy sign-off and security awareness directly themselves. Since maintaining a close tie to current employees and authorized user accounts is a key security measure, HR needs to integrate processes with IT or Security to ensure new employees get user accounts, and departing employees have their accounts disabled. When there are involuntary terminations, security needs to be in the loop to ensure all credentials are cut off at once. When severe security policy violations occur, HR also needs to work with security to ensure proper documentation and sanctions are applied.
Empowering and Investing in the Security Adjuvants
Partnering with your security adjuvants means more than just assigning them security responsibilities. It means answering their calls and emails in a timely manner, attending some of their meetings, listening to their needs, and providing customized training and documentation for them. This not only helps them do their security work but more importantly, it sends them a message that you’re invested in helping them succeed. You’re sending a message that everyone is working together to improve security. This extra effort with the adjuvants also gives Security a chance to communicate their goals and knowledge of threats on an ongoing basis.
Having committed, capable individuals outside of the security team is a potent adjuvant to help a security program succeed. Another future role for security adjuvants is to recruit them into the security department. Remember, security is a team effort and savvy CISOs should look beyond their own department for assistance.