How to Explain what Security is About
What do we actually do in Security?
When you provide the absolute best security to a client, what is the result? What changes for that client? The answer is: nothing.
Think about it. Security stops bad things from happening. So when we as security practitioners do the best job possible, there's no result to point to. Often, those who value security the most are those who didn't follow security rules - and got burned.
The fact that when security works, nothing happens, is a problem. Management doesn't always know what we do. Even worse, employees often don't understand what we're asking them to do.
Five Security Areas
That's where the concept of five areas of security comes in handy. Vigitrust came up with the five pillar approach, and while my own approach is somewhat different, I want to give credit where credit is due. It's a genius way of explaining what security is about.
The five areas of security are:
Some people have more or less wordy ways of expressing those five areas, but these are the key areas. So let's go through them now.
People are our most important asset, so it's appropriate that they be first on the list. For most employees, their first brush will be with people security. They'll be screened (even if it's a simple reference check) to see if they would make a good employee. And if there are ever any concerns about an employee's behavior - well, that's people security too.
If you've worked in Security for a long time, you might remember the pre-computer days. Back in those days, it was all about files and briefcases. Computers changed the world. Today, IT security is probably our most important tool.
Key business records are now stored digitally. That makes IT systems a constant target. Usually a phishing message will open up a way into those systems. The result can be theft, fraud or ransomware. Phishing and IT fraud is always evolving. You need to train employees in security critical thinking: the art and science of making smart security decisions.
Everyone works somewhere. Your workspace may be your home. It may be an office. It may be one hotel after another. Wherever you work, there are going to be security considerations.
You can think of security in a traditional office using the nesting doll idea. The biggest doll (the one the others fit into) is the least secure. We add more layers of security with every doll. The doll at the center is thus the most secure.
When building an office space, it's best to add security as part of the design. But if employees are working from home, they will have to help add layers of security. Do they have sensitive files? Then maybe they need a secure container. Is the desk right next to a window? Maybe they need a privacy screen for their laptops. One good way to do this is to create a security checklist for different environments.
You might be wondering why information isn't part of IT. For one thing, information isn't always IT related. Prototypes can contain sensitive information. Conversations between employees can contain sensitive information. So can documents, spreadsheets, project plans, text messages, video calls and phone calls.
Human beings are natural information sharers: we're social beings. That's why it's so important to set boundaries on what can share and what we can't. The tool I recommend is the Traffic Light Protocol (TLP). It's a tool to help employees understand when it is and isn't OK to share information. In order, the levels are:
Standard security rules prevent things from going wrong. What happens when they go wrong anyway? Security in an emergency is about two things.
First, it's getting your employees through the emergency. In the case of a fire in a building, that means having a clear command structure and an evacuation plan. In the case of a corporate hack, that means having an IT Security lead ready to spring into action.
I said that security in an emergency has two aspects. The first is about helping your employees. The second is about getting your business through the emergency. This is often called Business Continuity Planning. A business continuity plan shows you exactly what you need to do to keep your business functioning. It also tells you how long they can be offline before business is impacted.
I like to think of the first part of Emergency planning as getting employees out of the building with the fire in it. The second part is about getting them back to work, somewhere else.
How the Five Areas Can Help
So what's the benefit of thinking of security in these five areas? I actually think it can help in three important ways.
There's a lot going on in security. The five areas show clients and employees that following security rules is easy.
It builds the security team
In a big security team, the IT shop may not realize how crucial the security of space shop is. (Hint: your servers are in a workspace.) Understanding the five areas can help security practitioners work better with their coworkers.
It shows that you can win
Learning about threats can be scary and overwhelming. Breaking security into five simple areas shows that we can achieve security at work - and it's not even that hard.
5 Pre-travel Steps to be a Safer Traveler
Why worry about travel safety? Different travelers have different risk tolerance. I have friends who'll travel anywhere and just trust good karma to keep them safe. But if you're like me, you probably want to be a little more prepared than that!
Travel safety, to me, is about problem avoidance. When I'm in another country, I don't necessarily know how everything works. I don't necessarily understand the law, or social factors the way I do at home. The point of travel security is to avoid problems before they happen.
The good news is that you can take five important steps to make your travels more secure before you even get to the airport.
Choose your Hotel Floor
When you book a hotel room, it's tempting to ask to be high up in the clouds so you can look down on the city you're visiting. But the safest rooms, experts say, are between the 2nd floor and the 6th floor. The reason?
Being on the second floor (what Europeans call the first floor) means you're one floor up from the lobby. If there's a disturbance, or a terrorist activity, the lobby is probably where it will start.
The reason you shouldn't go any higher than the 6th floor is fire ladders only reach about 6 floors up. Any higher than that, and in a fire situation, you'll be on your own.
Here's something else that will help you in a fire situation: a smoke hood.
Whether in a downed plane or a burning building, smoke inhalation is the real killer. A compact smoke hood can help you survive long enough to get out.
In a smoky environment, it can also be hard to see where you are. A powerful flashlight can help you get to an exit.
As a bonus, you could also use your light to disorient an attacker.
Personally, I'm a huge fan of the Fenix brand, as they deliver massive lumens in a small package - I carry an older model, but I have my eye on the new PD36R. At full output it packs a blinding 1600 lumens - but it has low output modes that allow for use around the house.
Once you get into your room, you're secure. Or are you? How many people in the hotel have access to your room key? And how sturdy is that door?
A handy little security device is a door jamb.
This little guy gets stuck under the door. If someone tries to push the door open while you're inside, it will do two things.
First, like any door stop, it will provide a level of kinetic resistance.
Second, it will let out an unholy amount of noise. Enough to wake you up along with other guests. The knowledge that lots of people are awake and curious will help to deter many would-be intruders.
Reduce the Flash Factor
So far we've seen four things you can bring on your trip. The fifth security tip is about what you don't bring.
A simple way to stay more secure is not to be a target.
Do you wear a lot of jewelry? Consider skipping it, or tucking visible jewelry inside your clothes.
You have a brand new iPhone? Consider not flashing it around in the cab or in the bar.
Did you take out a lot of local cash? Consider not pulling out a big roll of bills. Just pull what you need out of your pocket.
A Little Security Goes a Long Way
These seem like small steps to be a more secure traveler.
But security is like the old joke about the two hikers and the bear. Two hikers see a big, hungry looking grizzly bear. One of them pulls on his running shoes.
His friend asks him, "You crazy? You can't outrun a bear!"
"I don't have to," says the first hiker. "I have to outrun you."
Security works the same way. Many people don't take any precautions. Take a few commonsense steps to stay secure, and you can leave that bear way behind.
3 Ways to Make Remote Workers Security Aware
A New Workplace
As the COVID-19 pandemic emerged, more than three quarters of business leaders worldwide developed plans for remote work. Now that we're all learning to live in the new normal, Gartner projects that 48% of employees will continue to work remotely in the post COVID-19 world. For security awareness, the remote worker had become indispensable. We need to be learn to reach people wherever they work, be it an office, a hotel, or at home.
Many tools of the security awareness trade no longer work. We can't do displays in the lobbies of buildings. We can't put up posters.
So what can we do?
Maybe we can't put up posters, but how about desktops? How about backgrounds for video calls, or login screens for company computers?
Posters help us use physical space. We can also find innovative ways to fill virtual space.
Security And Team Building?
A lot of folks have been asking me how to incentivize employees to take part in security awareness activity in a new remote work environment.
One way is to blend it into other areas. As we learn to work in digital teams, team building is on everyone's mind.
You might want to take some time at lunch to do a team building quiz on Kahoot. The trick is to make the quiz have security content. That way you can build the team and learn about security at the same time.
Workers at Home
With so many folks working from home, how do we interest them in security messages, you might ask? Aren't they too busy trying to help the kids connect to online school and helping their loved ones figure out Skype? Or could this be the opportunity you are looking for?
The fact is, security that is good for adults is good for the whole family. If you can give your employees the tools to teach young folks how to stay safe and their loved ones how to use the internet responsibly, you're covering some of the major elements of IT security.
Being aware of phishing and spam. Not putting too much of your information out there. Adjusting security settings. Being careful with free software.
The principles of security are the same. But if you can empower your employees to help their families to be more secure, you'll be making them security trainers.