Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

12/3/2019
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Security Leaders Can Learn from Marketing

Employees can no longer be pawns who must be protected all the time. They must become partners in the battle against threats.

As someone with responsibility over both marketing and security teams, I've noticed some remarkable parallels between the two. The relationship that feels particularly pertinent today is the idea that every employee is responsible for security, not just the IT/security organization.

Rewind to the early 2000s, and accountability for a brand's reputation lay squarely with the marketing department. The most effective ways to shape public perception were through traditional means, using advertising and corporate PR campaigns. Fast forward a decade and everything has changed. With social media accounts and an always-on communications sphere, suddenly every employee has the power to cause a brand crisis and send share prices tumbling. Marketing has had to adjust fast, and there are now all kinds of technologies and processes that significantly reduce reputational risk while empowering employees to avoid disasters and actively become advocates for the brand.

What does this have to do with security? Well, there's a familiar trend taking place in this space, too.

The Good Old Days
One of the issues facing security leaders over the past few years has been the almost overwhelming growth of attack vectors. Even a decade ago, the vast majority of employees sat behind desks using Windows computers inside corporate offices, accessing corporate data over Ethernet cables into a protected intranet. Smartphones were just starting to make inroads, but business apps were limited in number and functionality, and 4G was in its infancy. IT and security teams were almost exclusively responsible for managing the risk of a cybersecurity crisis — just like with marketing and PR crises.

Today's workplace is almost unrecognizable. More employees than ever access corporate data via mobile devices, outside the traditional corporate environment and using an incredibly diverse array of corporate-issued and their own devices running on Windows, macOS, iOS, and Android. There's also a wider variety of network connections, from cellular LTE to home or public Wi-Fi hotspots. 5G and Wi-Fi 6 are both ready to make a bigger splash, too. Developing a robust security strategy that intelligently accommodates these sweeping shifts has been a challenge for many in the industry.

The Front Line Has Shifted
Examining the situation a little closer can help provide answers. Given the shift toward mobile-centric, perimeter-free working environments, the days when security could totally isolate and protect employees, effectively keeping them inside a secure bubble, are long gone. As LTE connectivity has improved, mobile workers are now at the forefront of external threats. The traditional perimeter is dead.

And that's the key point. IT and security roles have changed, just as the role of mobile employees has shifted. It's time to radically rethink the way we perceive our employees. They are our troops and our front line of defense. They are ambassadors for the security of the organization, in the same way that they're ambassadors for the brand.

That's not to say that mobile employees are totally prepared. Humans are often the weakest link when it comes to cybersecurity, and that's why hackers focus on them as soft targets.

Walking a Fine Line
What needs to change? Locking down mobile devices with strict policies that don't consider workflow can frustrate employees. This kind of authoritarian attitude toward what mobile workers can and cannot do unfortunately leads to many unforeseen consequences, not the least of which is shadow IT and internal friction. Even more worrying is the potential loss of productivity and the increase in worker frustration. Employees must be seen as allies in the fight against threats, not antagonists — winning hearts and minds internally has never been more important.

The alternative, preferred philosophy is to empower employees. Ask them what tools and applications they need. Figure out how much "freedom" they require in order to be productive and get their jobs done. Introduce reasonable content controls that prioritize work-related applications but allow non-work-related ones too — policies that can be applied to any device using any network. Implement sensible password and authentication controls that work for their purposes, such as single sign-on or multifactor authentication — and make sure the impact on employee experience is as small as possible. Establish security policies that take context into account whenever possible; apply them lightly when conditions are low-risk, and heavily when they're not.

The critically important step in this process is to educate and re-educate workers so that they can be trusted to identify and avoid common pitfalls and risks. Train them to recognize phishing emails and text messages. Teach them how to recognize an insecure Wi-Fi hotspot. And give them tools that help them understand risk, react to situations, and escalate concerns. The best security is almost invisible to end users — it becomes something they feel personally responsible for rather than something imposed upon them that they find ways to tolerate or circumvent.

Security Is Everyone's Responsibility
It's undeniable that the work environment has changed for most workers today and security must find new ways to accommodate them. Yes, workers are possibly the biggest security risk to your organization, especially when they increasingly use devices and networks beyond your control. Those same workers are the biggest reputational risk to your organization, even more so now that they are able to post about — and in some cases on behalf of — the company on social media and elsewhere.

The reaction from marketing to these changes was to find new ways of educating, equipping, and empowering employees to avoid disasters and to endorse and amplify the brand online. Security leaders can learn a lot from this approach.

Employees can no longer be pawns who need protecting. They must become partners in the battle against threats. With the right technologies, policies and training, workers will take on more responsibility in identifying and preventing potential threats in this new mobile-first, perimeter-free workplace. And it's your job to help them get there.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Christopher Kenessey is the CEO of NetMotion Software and brings nearly two decades of mobile industry experience to the role. He has worked in sales, management, and leadership roles at Cisco and VFX software company The Foundry, and he holds a bachelor's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...