CSPs Use People and Security Technology to be Business Enablers
Print Issue: June 2020
Security professionals must differentiate between being a security monitor or a connected security professional (CSP). Security monitors are reactive, isolated, and have limited impact on the business. They watch and report incidents, which does nothing to help the business achieve its goals.
Alternatively, CSPs are business enablers. By receiving the right information in the right environment, they make decisions that move the business forward. CSPs use data and automation to identify risks before they become threats and respond quickly to mitigate them.
CSPs use intelligence and consume data from many sources, including the Internet, the Dark Web, first-hand observations, intelligence services, insider threat detection software, and industry or community groups. This information helps CSPs get in front of a problem—saving the company time, money, and, potentially, damage.
The volume of data derived from these sources can be overwhelming, so how do security teams make sense of it?
First, they should collect information from all sources tied to the company’s brand or employees. Consume the data using an aggregator to categorize it. Process the information using an analytics engine that will correlate events and identify trends.
For example, an analytics program can be used to demonstrate if an employee is involved in a questionable organization—which is not a crime. If that same employee is also trying to access the data center when he or she does not work in IT, however, that information combined with the data from the analytics program shows a possible risk. This information allows the security team to take action on the data, such as launching an investigation or notifying the executive team, to prevent a possible situation from escalating.
As the security program is developed, CSPs should invite key stakeholders to partner with the team. Work closely with the HR and legal teams to ensure all rules, regulations, and policies are followed. Obtaining buy-in from leadership and understanding the objectives will ensure unity. Keep everything out in the open and get approval on all initiatives.
“You never want to be accused of being secretive with your insider threat or security programs,” says Dan Bissmeyer, director of business development-national at G4S. “That will undermine morale and create serious company culture issues.”
HR and legal teams can also assist with ensuring compliance with complicated privacy laws. Organizations need to be aware of—and design around—privacy laws that differ between communities, states, and countries.
Communication with employees about how the organization is doing this is essential. If consent statements are needed, use them. Some states, for example, require consent to use computer login software that performs internal monitoring of behaviors of employees. Use a splash screen at every log in so employees know they are being monitored by their employer.
Perform security awareness training to remind employees of cameras and be clear—and open—about the intent for the system’s usage, watching for security concerns instead of employee productivity.
Proper program oversight with legal, HR, and communications is the key to success for CSPs. Implement policies around privacy and data aggregation, including who should have access to the data, what data is shared, and how it is shared.
Using the right techniques and the right people pulling from the right resources will make CSPs out of your security team, and help the team identify early risks to the business before they become a threat.
Kami Dukes is director of business development at AMAG.