Hurt feelings, techspeak, and process errors all lead to compromise.
|By: Brand Barney|
The struggle is real folks.
How does a communication error result in a data breach, you ask? To put it simply, if departments don’t work together, security doesn’t happen.
- If there is no process for IT to communicate with the CISO, IT might forget to tell him/her that a security assessor is coming on Thursday to audit the security of their company (true story)
- If the head of customer support refuses to speak with the director of development because of an age-old feud, he won’t have the chance to tell him that a customer found a security bug in their website (true story)
- If a salesman gets annoyed at IT because the Wi-Fi goes down again and his paycheck is on the line, he might choose to secretly connect to a free, unverified, vulnerable Wi-Fi signal (also a true story)
Ultimately, department heads aren’t the only ones affected by interdepartmental communication problems. If these problems lead to a breach, the entire company gets egg on its face. Not to mention the poor customers whose data was stolen by a hacker in the midst of this rampant communication debacle.
So, how do you avoid communication problems at your organization? Keep reading to find out how to fix this problem.First, let’s dig into company culture.
How did this backwards IT security communication culture begin?Each department hires like-minded people, which can lead to problems if each department cannot communicate effectively. Departments or teams often work against each other because of pride or elitism. Maybe they feel the other group is not competent. For example, a team may decide to branch off and handle an issue on their own because they feel the other group is too busy or isn’t up to snuff. “I’ll just do it myself. Those guys don’t know what they are doing.” Yikes.
To make it worse, the poor communication culture from other companies gets thrown in the mix when employees are hired on from the outside. If an IT department hires three new employees from three very different technology companies, each will have a different expectation of how their team should operate. Does this phrase sound familiar? “But at my old company…”
Another contributing factor to communication problems is what I like to call techspeak, endearingly called technobabble in some circles. All industries and even companies within the same industry use different lingo to mean different things. In some circles only certain verbiage is considered appropriate or accurate. You could be speaking about the exact same process, but using entirely different terms to describe it.
Here’s an example. I use the term ‘grep’ all the time, like a total geek. As in, “I’ll go ahead and grep for it.” Only a tech geek would understand that ‘grep’ is a Unix term for ‘search’. If I said ‘grep’ to upper management, they would probably think I was going to fix the problem, when I only meant I would search for a solution.
Once all these factors start muddling up departments, the tension starts to build. Pent up frustration is taken out in meetings. Departments forget to talk to each other. Lack of IT security communication becomes part of company culture. Department goals polarize. Pretty soon, the left hand has no idea what the right is doing. Congratulations, now your company has tiny clusters of semi-functional groups instead of working as a whole.
What is at risk?Before you put your blinders on and think, “This isn’t a problem in my company.” Think again. Your policies don’t protect against this. Your policies don’t protect against raw human anger or pride. Your employees aren’t saints. Internal communication problems are an epidemic, no matter what industry you’re in. And they’re costing you.
In my opinion, communication problems are the #1 reason you lose star employees. Communication problems are extremely demotivating to an employee. Mountains of hurt feelings, department feuds, and poor security gets tiring after a few years. “Nobody even cares about security around here.” “Nobody even likes me in this company.” “Nobody even asked me for that security report last month.” IT security guys are especially susceptible to this demotivating environment.
I’ve actually spoken with several recruiters in the IT security and medical spaces. Do you know what they capitalize on in their LinkedIn, email, and phone pitches? Surprisingly, it’s not always salary. They will often upsell a better company culture over salary. Sure, salary will always play a role in their pitch, but they realize from talking to a never-ending stream of unhappy employees that company culture and team communication is the key to success and happiness. I have talked with numerous developers and salesman who weren’t even looking for a job, but jumped at the opportunity when posed a better work environment. Obviously, you can’t keep everyone happy. But if you don’t want to lose your superstar employees, this is a good point to remember.
Even more important than your decreasing employee morale is your company’s diminishing security. The reasons for that insecurity are extremely simple to fix. On an audit I conducted a few months ago, a company supervisor and I were confused why logs from the IDS/IPS weren’t being checked. When we asked, the IT employee simply stated, “The alerts from the IDS were noisy, so I turned them off.” A simple communication from IT to the supervisor would have allowed the supervisor to assist the IT employee with proper IDS/IPS configuration, allowing for a much better security posture.
That’s just a simple example that could extend to any point in your security process. Are product managers communicating the implementation dates for new products to developers? If not, security might go on the backburner while developers scramble to launch the product. Etcetera.
SEE ALSO: Coding Culture Will Ruin Your Audit…And Your Security
How do you fix the internal communication problem?Obviously communication is a giant problem, which means you won’t be able to fix it overnight. But you can be the one to start the change at your company. Here are seven things to consider when instigating your communication transformation.
1. Be honest with yourself. You have a problem.
HR departments, department directors, CIOs, guess what? You’ve got a problem. It’s costing you money. It’s costing you employees. It’s costing you customers. That problem is poor internal communication about IT security.
Just for a second, think of the one problem that keeps you up at night. I bet in 90% of cases, whatever problem you are thinking of boils down to communication issues across departments. I’m definitely guilty of hastily glazing over an issue just to later realize it was a communication problem. It could have been solved right away, but since I prolonged it, it only got worse.
Now that you’ve passed the 'admit-you-have-a-problem’ stage…
2. Have defined training. (Yes, I’m serious)
It sounds fluffy, but training is how you can prevent hurt feelings and process screw-ups. I know you don’t want to be micromanaged (I know I don’t), but this culture we’ve all created needs to be scooped out and replaced with communication processes. This somewhat painful transformation happens through regular training.
Your trainings should probably address:
- The problem itself
- How the problem is damaging your company, employees, and customers
- Your clearly defined process for how communication should happen
- What to do if your feelings have been hurt
- How you can bring up complaints
I know, the last thing you need is another meeting, but these don’t need to be long diatribes. They should focus on discussing what each department needs from the other, including timelines, milestones, and goals. Proactively and honestly talk about what’s going well, and what’s not.
4. Address hurt feelings.
Everyone has their own view on how certain issues, including security issues, should be handled. All it takes is one misguided or misspoken piece of feedback to hurt someone’s feelings and completely derail the course of your team’s security efforts.
I’ve worked with companies where both new and seasoned security experts’ knowledge is questioned. So when departments come together for a combined security effort, everyone is walking on eggshells. Be mindful of this.
5. Tell your employees why.
Sometimes employees just want to know the ‘why’ of things. Why are we buying this product? Why didn’t we buy the product I researched and suggested? Why didn’t we implement this solution? Why? WHY? WHY????
When employees don’t get answers to their ‘why’s’, they decide to take matters into their own hands. And that’s when security and process problems start. Remember, your employees have the keys to the kingdom. You rarely hold anything other than the checkbook. Answer those employee questions as quickly and succinctly as possible.
You don’t always have to spell it out to your IT team, but having a reason will give your team a direction and will keep their motivation up. Otherwise they may just throw in the towel (and your security with it.)
6. Hold your own department accountable.
You can’t get mad at other departments for a faulty communication process if your departments’ communication process is also fundamentally flawed. So how do you prove to other departments that you are, in fact, dependable? I recommend setting up a ticketing system as transparent communication into what your department does, and how quickly they do it.
7. Start fun communication exercises.
I’m not talking about conference room trust falls here. Make your exercises fun! Learn what your employee’s culture is, and adapt. For example, have your departments get together to play laser tag every month. Or get your teams to intermingle in a weekly LAN game. People that play together, stay together! Do what is feasible for your company, but make sure each group and team knows their roles, responsibilities, and are able to work cooperatively together. It really can be fun.
Start communicating, stay secure!I’ve rarely seen a breach happen due to highly advanced cyberwarefare (although they do happen). Most IT security breaches boil down to employee communication problems, which lead to real world problems and security vulnerabilities (firewalls not properly configured, employees not trained, systems not patched, logging not enabled, etc.). The bad guys take advantage of those problems while we are arguing amongst ourselves. If you start in your own department to be more open and willing to communicate with others, I promise your security environment will begin to improve.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.