It’s easy to think of security as a barrier.
Admit it. More than once, you’ve been halfway through a project only to have the “security guys” turn up and throw a spanner in the works.
But it doesn’t have to be that way.
Speaking as a security person, the last thing I want to do is make peoples’ lives difficult. Ideally, security would work with you from the outset to make sure projects go smoothly and securely.
To that end, here are four things you can do today to build a solid relationship with your security team — and avoid any last-minute calamities.
1. Involve them from the start
People who want to implement IT solutions often try to stay under the radar and hope the security team won’t notice.
Look, I get it. You want to get your job done. You want minimal disruption, and people have told you that security teams are a pain to work with. But honestly, involving security from the start will not only ensure everything is set up properly to protect the organisation, it will also guarantee the minimum disruption to your project.
After all, if the solution you’re looking at simply isn’t viable for your organisation’s IT infrastructure — or it turns out the vendor can’t sufficiently protect your data — don’t you want to know that as early as possible?
You might have a favourite vendor or agency that you like to work with. But be honest, you probably don’t know how secure their products and services are, or what their approach to security is.
Recently, we heard about an organisation that was just about to launch a new IT system. They’d spent over a million pounds on the project but hadn’t involved the security team. The day before they planned to launch, the security team found out about the system. And you know what? It took an extra year to get the system up and running securely.
If security had been involved at the outset, not only could they have started their work earlier, they likely could have helped to identify a solution that could be implemented quickly and securely.
2. Make things easy for them
Often, you’ll want to work with well-known, out-of-the-box solutions that are already widely used. Many of these solutions are designed to integrate easily with popular applications like Office 365 and Google Apps, and have plenty of customers providing feedback whenever something isn’t working.
And that’s great. But just because you know a solution is widely used and accepted, doesn’t mean your security guys will — they likely aren’t familiar with the internal comms market.
Thankfully, the established nature of your preferred solution is an advantage. Since the vendor is already working with other similar organisations, they likely have standardised security
documentation. If that’s the case, get hold of it early on in the project, and give it to your security team right away — it’ll ease their worries about untested solutions, and cut down the time they need to spend vetting and testing the solution.
Of course, not all preferred solutions are established. For bespoke projects, where a standard security pack isn’t available from the vendor, your security team will need to do more digging.
It is their job to ask questions, after all.
3. Focus on WHAT you want to do, not HOW you want to do it
It’s easy to get hung up on a specific technology. But some technologies are harder to secure than others. For example, mobile technology can add more risk (as people lose their devices all the time), while internally-hosted applications are much easier — especially if they aren’t Internet-facing. After all, it’s hard to leave your PC on a bus.
So rather than talking about HOW you want to do something, have a frank conversation with security about WHAT you’re trying to achieve.
You may need a way to communicate with a large remote workforce, or one that’s made up predominantly of people who work on shop or factory floors and don’t have company email addresses or logins. If you explain this need to your security team, they may be able to suggest ways to achieve your goals without compromising on security.
Ultimately, some technologies won’t be viable for your organisation. But if the security team understands WHAT you want to achieve, they can suggest alternatives that will work.
4. Sell the idea of mutual benefit
Few things are as effective as appealing to good old fashioned self interest. One thing you may not realise about security teams is that they are often crying out for ways to communicate with people across the organisation about important security topics.
When you introduce a project to your security team, sell them the benefit of having that better way of communicating their message. Ask them what they’d like to communicate to the organisation, and work together to figure out how best to do that. If your security team perceives a benefit to them from your project, they will naturally be more invested.
And it doesn’t stop there. Many internal comms and digital transformation projects involve “knitting together” a bunch of disparate IT systems, or reducing the number of systems in use. This potentially has a huge benefit for security teams, as it means fewer systems for them to police.
Even better, if you will still be working with multiple systems, your security team may be able to help you with mutually beneficial technologies like single sign-on, which improves user experience and boosts security.
Don’t Forget Why Security Exists
When it comes to security, it’s easy to wonder: “What’s the worst that could happen?”
Unfortunately, the answer is really bad stuff.
We recently looked at a case for one of our customers where multiple systems — each owned by a different organisation — were hosted on the same server. This is so common with cloud-hosted solutions that it has its own name: multi-tenant.
Here’s the problem. The solution was a web-based application that users accessed via their web browsers. When we looked closely, we discovered that by making some simple changes in the browser displaying the website, we could access every other company’s data that was hosted on that server.
In case it’s not clear, that’s bad. Not only could an outcome like this cause the organisation to be fined for non-compliance (Have you seen the size of the fines they hand out these days?), it also puts a lot of sensitive data at risk.
And that is why your security team exists. Not to make life difficult, but to protect you and your organisation. If you keep that in mind (and remember the points laid out in this article) you should find that working with your security team can lead to improved outcomes for everybody.
Guest post By Gwilym Lewis
About Gwilym Lewis
Gwilym is a co-founder of Appsecco, an application security company that provides pragmatic security advice to companies and organisations worldwide.
Prior to co-founding Appsecco, Gwilym built and ran a specialist web application development company that was sold to a UK PLC in 2012.
Gwilym is constantly told he should stop using the term Cyber Security (and completely understands why) but has yet to come up with a better one for non-technical people.
Gwilym will be hosting a workshop on February 19th 2020 in London called Everything IC Needs to Know About the Dark Side of their Intranet. Here he will explore the good, the bad and the ugly of cyber security and its role within internal communications.