Why All Employees Should Be Security Ambassadors — and How to Do It

 A recent Motherboard article caught our eye and got us thinking about who is — and who should be — responsible for security in an organization. The article, titled “We Need to Change the Psychology of Security,” makes the argument that, by treating security as a specialization that belongs only to a few people in an organization (the security team), we are crippling our ability to successfully achieve security at scale.

The author, Adrian Sanabria, makes some excellent points. After reading the article, we wanted to share some actionable ways that organizations can go about deputizing their employees as security ambassadors.

Build a Security-Enabled DevOps Culture

One of the key problems that Sanabria points out is that IT and security have become two separate disciplines. Relatedly, development is, in many cases, sequestered from security. We’ve written several times before on this blog about why DevOps culture should be giving way to DevSecOps. We are now at a point in the evolution of the cloud where security should not be a side project or afterthought. It needs to be tightly integrated into continuous deployment cycles, which means that developers need to have both an understanding of key security principles and the responsibility to build secure software.

For recommendations on how to make this a reality in your organization, check out our post on how to apply DevOps culture to security and why you should do it.

Train and Educate Everyone

Of course, effective security must go beyond security, development, and operations teams to every corner of the organization. As Sanabria mentions, the training of new employees is an important opportunity to instill a security mindset into all roles early on.

Earlier this summer, we put together a list of resources to help educate you and your team about security, ranging from MOOCs to online certifications and beyond. This can be a great starting point for making sure that everyone at your company has the right kind of information to be an effective security ambassador.

Additionally, you want to make sure that security is both a board-level and executive-level priority. To do this, we put together five tips for executives on reinforcing your organization’s security posture. You can also hear from our CFO on the real value of cloud security in dollars and cents. Sometimes it takes numbers to convey the importance of this discipline to the business as a whole. To that end, you can also have a look at our post on how cloud security can actually accelerate the sales cycle.

From a practical, day-to-day standpoint, there are a few security measures that everyone at your organization should be familiar with. Increasingly, one of the most important is two-factor authentication (2FA). (See our three-part series on using Duo for 2FA.) Other key initiatives include phishing and malware awareness as well as identity and password management.

Communicate and Instill Responsibility

Part of the challenge when it comes to deputizing employees as security ambassadors is communicating that security is everyone’s responsibility. That doesn’t mean passing the blame when something goes wrong (remember: it’s still the bad guys’ fault), but it does mean explaining to employees that they are expected to take all reasonable security precautions (such as using 2FA, identity management software, and any other relevant security tools you decide to implement.) Train your employees on the importance and application of these tools and processes. And to really bring it home, spend time exploring real security incidents — how they came about and how protections like the ones they’re being asked to use can stop similar attacks from happening to your company.

Furthermore, to mitigate the risk of insider threats, it’s key to put in place a workload insights tool that will allow you to know when an employee or ex-employee’s credentials are being used for nefarious purposes. Having this in place gives you the means to investigate potential attacks and communicates to employees that what they do on the company infrastructure is being monitored at all times.

Distribute Alerting Evenly

No matter how many or how few alerts come in, it should not be one person’s job to manage them. For one, this is a one-way ticket to alert fatigue and burnout. 

The alternative? Distributed security alerting like Slack has implemented. This makes it  possible to quickly catch and respond to threats. As Slack points out, catching threats quickly isn’t something you can do at scale with a security team alone. Instead, set up your system so that it immediately sends an alert to the user who triggered a suspicious activity.

For example, if user Mike logs in from an unrecognized IP address, he might get an automatic message: “Hey Mike: Is that really you?” If he says, “Yep!”, no problem. If he says, “I have no clue what you’re talking about,” or doesn’t respond within a certain timeframe, it can be escalated to the security team.

Distributed security alerting takes quite a bit of the legwork out of security analysts’ jobs and means that the whole company can pitch in to ensure an optimal security posture.

People + Responsibility = Security

It’s important to follow the security equation of people + process + tools. Hire your security personnel first, let them develop appropriate processes, and then select tools that fit their needs. Moving parts of that equation around can lead to stress and holes in your safety net.

However, it’s also key to think about the other people beyond security experts who work at your company, or will in the future. They are huge (and often overlooked) assets to you when it comes to security. Deputizing them by communicating the purpose and value of security and empowering them to participate in the process is the best way to ensure that your security team doesn’t burn out and your organization remains secure.