Dr. Hugh Hunter examines the pitfalls of pandemic-related reactive security policies and how organisations can work to improve them.
The pandemic has changed the workplace in many ways, but organisations security policy has remained almost the same. Instead of a post-pandemic revamp, security policies are fixed as required. Reactive policy-making is always risky, but the problems aren’t obvious until we stop to think about what these policies are actually for.
We can view security in terms of four major stakeholders:
Credit: RanczAndrei/Alamy
Losing compliance
When policies change reactively, we create new rules to solve a specific problem. But new rules often have effects beyond their intended scope – change in one part of an organisation can have consequences elsewhere.
For example, many organisations have changed security policies to allow employees to work remotely some of the time. Previously, a few trained employees could serve as first-aiders, a rotating remote work schedule means that first-aiders might not be on site. This can cause a compliance issue in countries where the presence of first-aiders is federally regulated.
The more difficult it is to say who is in the office, the more difficult it becomes to meet this obligation. In other words, a reactive change can cause an organisation to lose compliance with standards set by partners or regulators.
New rules, new gaps
New rules can also create unexpected management gaps. As Peter Houlis has shown, adjustments in personnel security policy can mitigate the risk of insider threats. But by the same token, reactive adjustments can make the threat more severe.
As Scott Stewart wrote for Stratfor: “while insiders do have some significant advantages over outside attackers by understanding the inner workings of an organisation, they also have a big disadvantage in that their frequent contact with colleagues provides many opportunities to be observed (and caught) as they progress through their attack cycle.”
Reactive policies can reduce contact between employees and managers and create a security gap. This gap may cause individuals to miss some of the signs of an insider threat. Worst of all, the existence of a gap isn’t obvious – until something goes wrong.
Challenges of awareness
It is always a struggle to get employees focused on security. In a pandemic situation, employees are already devoting mental energy to the task of keeping their families safe. Yet, employee awareness is crucial to policy success. A single, well-advertised policy change is better than many small changes.
Reactive security policies fail when they do not connect to other organisational priorities. This failure can lead to not meeting compliance requirements. It can also create knowledge gaps for managers. A first step in building security policies that work is to think holistically.
Holistic thinking means seeing the big picture of security as a unified area. Vigitrust’s five-pillar approach is great for this. The key is an outlook that allows you to view all areas of security together, one area supporting another.
For example, IT security is tremendously important, but solving an IT problem can sometimes open gaps in other areas of security. If IT security becomes too complicated, it’s human nature to find a workaround. That’s where people security has a role to play. All areas of security converge on one another; everything is connected. Policies that plan for the big picture will better capture organisational needs.
The holistic approach can be extended to the organisation as a whole. One way to use a holistic approach is to go outside security for a solution. The kinds of behaviours managers cannot monitor in a remote work scenario may be monitored by other areas, such as Human Resources – one reason why Intelligence and National Security Alliance (INSA) views HR as a key enabler for insider threat programmes.
Getting organisational buy-in
The holistic approach does more than widen our view of a problem, it can also help engage others in finding a solution. From that perspective, organisational buy-in goes beyond executive buy-in. The engagement of other organisational priorities connects security policies to organisational needs.
Increasing buy-in can help employees to understand their security obligations as well as helping awareness break through. One way to take a holistic approach and ensure buy-in is to use a hub approach where security policies can be integrated along with health and safety policies in a shared hub to provide a signal boost.
Explaining how security policies need to change to colleagues alone first, is a good step before explaining it to everyone.
