Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

02:00 PM
Connect Directly
E-Mail vvv

What Security Leaders Can Learn from Marketing

Employees can no longer be pawns who must be protected all the time. They must become partners in the battle against threats.

As someone with responsibility over both marketing and security teams, I've noticed some remarkable parallels between the two. The relationship that feels particularly pertinent today is the idea that every employee is responsible for security, not just the IT/security organization.

Rewind to the early 2000s, and accountability for a brand's reputation lay squarely with the marketing department. The most effective ways to shape public perception were through traditional means, using advertising and corporate PR campaigns. Fast forward a decade and everything has changed. With social media accounts and an always-on communications sphere, suddenly every employee has the power to cause a brand crisis and send share prices tumbling. Marketing has had to adjust fast, and there are now all kinds of technologies and processes that significantly reduce reputational risk while empowering employees to avoid disasters and actively become advocates for the brand.

What does this have to do with security? Well, there's a familiar trend taking place in this space, too.

The Good Old Days
One of the issues facing security leaders over the past few years has been the almost overwhelming growth of attack vectors. Even a decade ago, the vast majority of employees sat behind desks using Windows computers inside corporate offices, accessing corporate data over Ethernet cables into a protected intranet. Smartphones were just starting to make inroads, but business apps were limited in number and functionality, and 4G was in its infancy. IT and security teams were almost exclusively responsible for managing the risk of a cybersecurity crisis — just like with marketing and PR crises.

Today's workplace is almost unrecognizable. More employees than ever access corporate data via mobile devices, outside the traditional corporate environment and using an incredibly diverse array of corporate-issued and their own devices running on Windows, macOS, iOS, and Android. There's also a wider variety of network connections, from cellular LTE to home or public Wi-Fi hotspots. 5G and Wi-Fi 6 are both ready to make a bigger splash, too. Developing a robust security strategy that intelligently accommodates these sweeping shifts has been a challenge for many in the industry.

The Front Line Has Shifted
Examining the situation a little closer can help provide answers. Given the shift toward mobile-centric, perimeter-free working environments, the days when security could totally isolate and protect employees, effectively keeping them inside a secure bubble, are long gone. As LTE connectivity has improved, mobile workers are now at the forefront of external threats. The traditional perimeter is dead.

And that's the key point. IT and security roles have changed, just as the role of mobile employees has shifted. It's time to radically rethink the way we perceive our employees. They are our troops and our front line of defense. They are ambassadors for the security of the organization, in the same way that they're ambassadors for the brand.

That's not to say that mobile employees are totally prepared. Humans are often the weakest link when it comes to cybersecurity, and that's why hackers focus on them as soft targets.

Walking a Fine Line
What needs to change? Locking down mobile devices with strict policies that don't consider workflow can frustrate employees. This kind of authoritarian attitude toward what mobile workers can and cannot do unfortunately leads to many unforeseen consequences, not the least of which is shadow IT and internal friction. Even more worrying is the potential loss of productivity and the increase in worker frustration. Employees must be seen as allies in the fight against threats, not antagonists — winning hearts and minds internally has never been more important.

The alternative, preferred philosophy is to empower employees. Ask them what tools and applications they need. Figure out how much "freedom" they require in order to be productive and get their jobs done. Introduce reasonable content controls that prioritize work-related applications but allow non-work-related ones too — policies that can be applied to any device using any network. Implement sensible password and authentication controls that work for their purposes, such as single sign-on or multifactor authentication — and make sure the impact on employee experience is as small as possible. Establish security policies that take context into account whenever possible; apply them lightly when conditions are low-risk, and heavily when they're not.

The critically important step in this process is to educate and re-educate workers so that they can be trusted to identify and avoid common pitfalls and risks. Train them to recognize phishing emails and text messages. Teach them how to recognize an insecure Wi-Fi hotspot. And give them tools that help them understand risk, react to situations, and escalate concerns. The best security is almost invisible to end users — it becomes something they feel personally responsible for rather than something imposed upon them that they find ways to tolerate or circumvent.

Security Is Everyone's Responsibility
It's undeniable that the work environment has changed for most workers today and security must find new ways to accommodate them. Yes, workers are possibly the biggest security risk to your organization, especially when they increasingly use devices and networks beyond your control. Those same workers are the biggest reputational risk to your organization, even more so now that they are able to post about — and in some cases on behalf of — the company on social media and elsewhere.

The reaction from marketing to these changes was to find new ways of educating, equipping, and empowering employees to avoid disasters and to endorse and amplify the brand online. Security leaders can learn a lot from this approach.

Employees can no longer be pawns who need protecting. They must become partners in the battle against threats. With the right technologies, policies and training, workers will take on more responsibility in identifying and preventing potential threats in this new mobile-first, perimeter-free workplace. And it's your job to help them get there.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Christopher Kenessey is the CEO of NetMotion Software and brings nearly two decades of mobile industry experience to the role. He has worked in sales, management, and leadership roles at Cisco and VFX software company The Foundry, and he holds a bachelor's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
7/20/2020 | 4:05:22 AM
I think there are almost fifty important lessons you need to learn before becoming a leader in the field of marketing. And one of the most important is to handle sales appointment settings for each sale.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...