I don’t know about you but during my career I’ve railed against security controls more than once. An odd thing for a cybersecurity professional to say but I’d be very surprised if any honest person, especially one who’s worked in cybersecurity, would say any different. Some control was imposed that curtails your ‘freedoms’ and you yelled so loud and so convincingly that those controls were either reduced or removed altogether. We’d come up against the “Work Prevention Team” otherwise known as the cybersecurity team – for the older readers out there, we also know them as IT Security and we’d won.
It seemed that just about every control put in place made our lives harder. In some cases, the controls might actually prevent you from doing something key to your role. The truth of the matter is that the teams imposing those controls didn’t have the tooling to offer granularity or the capacity to use any flexibility that might exist. Early cybersecurity was usually being delivered by the IT Support team in a desperate effort to keep systems running. These teams were, absolutely, doing their best to ensure you could keep working tomorrow but quickly users began to resent the rushed controls and the people behind them.
When we start thinking about how we can enable people in the organisation, it’s a paradigm change.
We’ve certainly moved on from there. Today, we have dedicated teams populated by people with degrees in cybersecurity, industry certifications and more tools than you might imagine. Yet still the label of the “Work Prevention Team” or “The Team who say ‘No'” follows them around. While this may be thought of as just a name or term, it has a real impact on how people view information dispensed from the team. We see this in the success of phishing attacks.
While phishing has progressed, and we see more coordinated, considered, and targeted attacks (spear phishing), people are still taking the bait at levels that shouldn’t be the case. Most organisations are spending time and money on education but, it’s apparently not gaining any traction with the audience. I believe this has a lot to do with the feeling toward cybersecurity in general. If the audience see the training as yet another control that’s going to make their lives harder, they are going to give the bare minimum to complete the assessment at the end of the course, if there is one, then forget or ignore it.
We need to change that view.
It starts with changing how we approach cybersecurity in general. As I say a lot, and will continue to say, cybersecurity is an essential part of doing business. A good cybersecurity implementation ensures that the company continues to do business by deflecting and/or containing attacks. It also ensures that the controls are simpler, easier to understand and more effective as a result. This emerges from flipping the whole approach on its head. Don’t try to restrict what users with lots of access can do, focus on enabling what users with basic access can do.
Cybersecurity isn’t about restricting, it’s about enabling. So many other aspects of business have shifted focus to being enablers and we need to follow suit. The technology exists to allow us to do this, it’s simple to understand and it’s simple to implement. One note of caution, don’t start down this road until you fully embrace the change of view. Building an enabling cybersecurity environment while harbouring a restriction mindset will end in a complex, brittle and dangerous implementation – you don’t want to be there.
When we start thinking about how we can enable people in the organisation, it’s a paradigm change. The ethos of the cybersecurity team changes. We can allow our people to do more things, to be more self-sufficient, more empowered. It shifts the view of cybersecurity to being the people who say ‘Yes’, the Work Enablement Team. And may be, just may be, that message of not acting on the suspicious message until after you’ve verified it’s actually safe might actually stick.
I’d love for people to comment with their experiences in this space and how they implemented this kind of approach. I’m also interested in anyone who’s struggled in this space, or is struggling. Share your thoughts, there are no wrong answers.
0 thoughts on “The Work Prevention Team”