Building Bridges: Beyond Technology when Creating a Secure Organization

Dennis Guillette, Director of Security Operations and Engineering, University of South Florida

Dennis Guillette, Director of Security Operations and Engineering, University of South Florida

Multiple factors come to mind when considering how to secure a large organization from cyber threats. Applying the proper framework, such as the NIST cyber security framework (CSF), and layering this framework with the proper administrative and technical controls can be challenging even in the best of times. However, our current threat environment is evolving at high velocity with no sign of slowing down any time soon. Simply throwing technology at the problem is not always helpful; organizations may end up as ‘tool collectors’ with expensive technology on the shelf with limited to no use. In public sector education where limited budgets and resources are the norm, this strategy can result in negative outcomes.

The proverb ‘rules before tools’ is a term that has stuck with me for many years. Without proper security policy, any tool usage is necessarily limited to the scope of the technology and likely will not be as effective as it could be. In an educational environment, excessive rule (aka policy) creation can be difficult and is historically fraught with challenges to implement. In our current era of ransomware, breach notification laws, cyber insurance, and regulatory compliance, robust security policy is no longer something that is nice to have, but rather a cost of doing business.

The secret to the design of policy and technical controls does not simply mean having the best engineers or strict management rules. While these things are helpful, we can all take a lesson from the vendors who regularly contact us. Over the years, the ‘good’ vendors, or the ones I have worked with regularly, contacted me originally understanding there would be no short-term sale. Sometimes it has taken multiple years to make that first sale, but the relationship has lasted over time for both parties involved. In much the same way, a security manager making contacts in various departments might not have real or immediate effect, but over time trust and common understandings are built and those relationships become invaluable.

"Building the needed technology and policies takes time, and the fastest way to success is to build solid relationships with various stakeholders to create the proper security culture. Creating such a culture takes community, not technology"

During my early years in security, I had a manager once tell me ‘If the other members of the organization like you, you are not doing your job right.’ While humorous, this cannot be further from the truth. Creating an adversarial relationship with the IT organization or other areas of the university will result in a near impossible effort to fulfill the responsibilities of the information security role. I would argue that negative relationships make life difficult because trust is the fundamental principle of information security, and with bad relationships there is never a sense of trust. For someone to reach outside their comfort zone, they need to trust the message. The easiest way for someone to trust the message is for them to trust the messenger.

Building positive relationships takes constant, hard work. In education this means ongoing outreach towards faculty, staff, business partners, and students. Governance meetings are a start to building bridges with faculty and staff. Outside of these meetings, take the time to create meaningful relationships with key stakeholders – especially if they are not in your management chain. I have found that when presenting in governance meetings it is helpful to make a few phone calls beforehand for one-on-one discussions, so that you fully understand the stakeholder issues before speaking to the larger group. Remember that this is a conversation; it is a reciprocal process in which the policy needs are explained as well as an opportunity to listen to the stakeholders’ concerns.

One of the most important skills in security is to gather as much information as possible by understanding the concerns of the business, the faculty, and the students. Our problems are rarely caused by an individual user being ‘lazy’ or not doing their job. Faculties are concerned about teaching and doing research, staff is concerned with the business of running the university, and students are concerned about their midterm next week. When you can communicate that you have heard and understand their concerns, this understanding will play a large part in being able to convince your clients to tolerate the inevitable challenges that both technical and procedural controls create.

Many times, cyber security professionals in the education field underestimate the amount of work it takes to keep up with the academic side of the house. Being available to meet with individual faculty members when they have concerns or complaints may seem like extraneous effort, but in practice I have found that taking a little extra time with your stakeholders is time that is well spent. An effort to understand various viewpoints will often convert critics to supporters, and the support of former critics has multiplicative effects on your credibility towards others. You may find that a faculty member may have good reasons why they do not want to comply with a certain policy, or perhaps your policy is flawed in some fashion you didn’t realize. The only way to find out is to listen -- truly listen -- to them.

Another step in building these relationships is to collaborate in activities to assist academic departments. Whether guest speaking in classes, using data to help with research, hiring interns, or being available to students who are looking to connect with a professional in the field all of these will build your credibility in the minds of stakeholders. These activities require precious time and resources; however, they should not be considered a cost but rather an investment in your organization’s success.

The final thing to consider is that you will not always make the necessary progress at the speed you need. Sometimes you will only get a percentage of what you want from stakeholders. Remember – security is not a revolution but an evolution. It takes time and effort to create a good security program. Building the needed technology and policies takes time, and the fastest way to success is to build solid relationships with various stakeholders to create the proper security culture. Creating such a culture takes community, not technology.