Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

checkLoop 1
12/3/2019
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Security Leaders Can Learn from Marketing

Employees can no longer be pawns who must be protected all the time. They must become partners in the battle against threats.

As someone with responsibility over both marketing and security teams, I've noticed some remarkable parallels between the two. The relationship that feels particularly pertinent today is the idea that every employee is responsible for security, not just the IT/security organization.

Rewind to the early 2000s, and accountability for a brand's reputation lay squarely with the marketing department. The most effective ways to shape public perception were through traditional means, using advertising and corporate PR campaigns. Fast forward a decade and everything has changed. With social media accounts and an always-on communications sphere, suddenly every employee has the power to cause a brand crisis and send share prices tumbling. Marketing has had to adjust fast, and there are now all kinds of technologies and processes that significantly reduce reputational risk while empowering employees to avoid disasters and actively become advocates for the brand.

What does this have to do with security? Well, there's a familiar trend taking place in this space, too.

The Good Old Days
One of the issues facing security leaders over the past few years has been the almost overwhelming growth of attack vectors. Even a decade ago, the vast majority of employees sat behind desks using Windows computers inside corporate offices, accessing corporate data over Ethernet cables into a protected intranet. Smartphones were just starting to make inroads, but business apps were limited in number and functionality, and 4G was in its infancy. IT and security teams were almost exclusively responsible for managing the risk of a cybersecurity crisis — just like with marketing and PR crises.

Today's workplace is almost unrecognizable. More employees than ever access corporate data via mobile devices, outside the traditional corporate environment and using an incredibly diverse array of corporate-issued and their own devices running on Windows, macOS, iOS, and Android. There's also a wider variety of network connections, from cellular LTE to home or public Wi-Fi hotspots. 5G and Wi-Fi 6 are both ready to make a bigger splash, too. Developing a robust security strategy that intelligently accommodates these sweeping shifts has been a challenge for many in the industry.

The Front Line Has Shifted
Examining the situation a little closer can help provide answers. Given the shift toward mobile-centric, perimeter-free working environments, the days when security could totally isolate and protect employees, effectively keeping them inside a secure bubble, are long gone. As LTE connectivity has improved, mobile workers are now at the forefront of external threats. The traditional perimeter is dead.

And that's the key point. IT and security roles have changed, just as the role of mobile employees has shifted. It's time to radically rethink the way we perceive our employees. They are our troops and our front line of defense. They are ambassadors for the security of the organization, in the same way that they're ambassadors for the brand.

That's not to say that mobile employees are totally prepared. Humans are often the weakest link when it comes to cybersecurity, and that's why hackers focus on them as soft targets.

Walking a Fine Line
What needs to change? Locking down mobile devices with strict policies that don't consider workflow can frustrate employees. This kind of authoritarian attitude toward what mobile workers can and cannot do unfortunately leads to many unforeseen consequences, not the least of which is shadow IT and internal friction. Even more worrying is the potential loss of productivity and the increase in worker frustration. Employees must be seen as allies in the fight against threats, not antagonists — winning hearts and minds internally has never been more important.

The alternative, preferred philosophy is to empower employees. Ask them what tools and applications they need. Figure out how much "freedom" they require in order to be productive and get their jobs done. Introduce reasonable content controls that prioritize work-related applications but allow non-work-related ones too — policies that can be applied to any device using any network. Implement sensible password and authentication controls that work for their purposes, such as single sign-on or multifactor authentication — and make sure the impact on employee experience is as small as possible. Establish security policies that take context into account whenever possible; apply them lightly when conditions are low-risk, and heavily when they're not.

The critically important step in this process is to educate and re-educate workers so that they can be trusted to identify and avoid common pitfalls and risks. Train them to recognize phishing emails and text messages. Teach them how to recognize an insecure Wi-Fi hotspot. And give them tools that help them understand risk, react to situations, and escalate concerns. The best security is almost invisible to end users — it becomes something they feel personally responsible for rather than something imposed upon them that they find ways to tolerate or circumvent.

Security Is Everyone's Responsibility
It's undeniable that the work environment has changed for most workers today and security must find new ways to accommodate them. Yes, workers are possibly the biggest security risk to your organization, especially when they increasingly use devices and networks beyond your control. Those same workers are the biggest reputational risk to your organization, even more so now that they are able to post about — and in some cases on behalf of — the company on social media and elsewhere.

The reaction from marketing to these changes was to find new ways of educating, equipping, and empowering employees to avoid disasters and to endorse and amplify the brand online. Security leaders can learn a lot from this approach.

Employees can no longer be pawns who need protecting. They must become partners in the battle against threats. With the right technologies, policies and training, workers will take on more responsibility in identifying and preventing potential threats in this new mobile-first, perimeter-free workplace. And it's your job to help them get there.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Christopher Kenessey is the CEO of NetMotion Software and brings nearly two decades of mobile industry experience to the role. He has worked in sales, management, and leadership roles at Cisco and VFX software company The Foundry, and he holds a bachelor's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19777
PUBLISHED: 2019-12-13
stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read in stbi__load_main.
CVE-2019-19778
PUBLISHED: 2019-12-13
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer over-read in the function load_sixel at loader.c.
CVE-2019-16777
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of pa...
CVE-2019-16775
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publi...
CVE-2019-16776
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain...
checkLoop 2