Information security professionals have long viewed the end user as the weakest link in the cybersecurity chain, but that is changing.
The idea of humans as the most vulnerable point in security arises from the simple fact that humans make more errors than machines. In addition, we often assume that some users will do the wrong thing despite mandatory training and constant reminders of best practices.
But as technology has evolved and software-as-a-service applications have become commonplace in the modern work environment, end users have become a strength, not a weakness, in many organizations. Let's look at how this has happened.
A balanced cybersecurity culture
Organizations that build a strong security culture by engaging their users through an ongoing awareness process create more formidable barriers that attackers must penetrate. But the training has to go beyond 20-minute information security tests during new-hire orientation.
Users need to be given the tools that provide visibility into the risks that accompany applications so that they can own their security. Providing employees with security tools makes them active defense members, not bystanders. They become involved in solving problems, identifying vulnerabilities, or sharing anomalous behavior, which improves an organization's security posture.
The goal is to empower employees to make decisions about the applications they use. That makes sense, because they know the business context of the apps they use and how these apps can help them do their jobs better.
By engaging employees, organizations improve their collaboration and streamline security. Employees help provide extra support for security teams that are overly busy and understaffed.
Security teams take the lead
This is not to say that end users can completely replace information security teams. Security teams should retain full visibility and control over SaaS security while welcoming extra hands. The two should work in concert, balancing the general security load throughout the organization. Security leaders can take a decisive leadership role, while employees can act as the eyes and ears.
Business leaders should not see involving employees more in security processes as redundant to security teams. Security leaders should also not see this culture shift as them losing control of the organization’s overall security.
It is more of an evolution of security processes. The threats facing organizations continue to grow. More SaaS applications continue to make businesses more efficient and increase the network's attack surface.
It's not uncommon for communications tools to link with project management platforms, which are then paired with timekeeping applications and customer resource management solutions. This interconnectedness creates many entry points for hackers. Once inside, hackers can use these networks to navigate toward the data and resources they want.
Being prepared as the world evolves
Organizations have come to rely on SaaS tools for their employees to work. Although these tools help increase productivity, they also increase a company's attack surface. As remote work becomes more popular and engrained into today’s corporate culture, the need to secure these applications will only increase. Security teams must have visibility into these tools and the people using them.
This is where empowering employees can provide true value. Employees must understand the risks but also have the capability to identify anomalous behavior. Empowering these employees to be allies in the fight against cyber threats can provide unlimited value.
The challenge is finding a way to engage with employees in a way where they feel strengthened to identify potential attacks without becoming overburdened with training and additional responsibilities. Simply making an initial effort can help create a snowball effect of success.
A changing future
As the threat landscape shifts, so should how information security leaders approach training employees. Traditionally, security teams have pushed training on employees that asked them not to make simple or careless mistakes.
But by giving employees the right SaaS security tools, security teams can turn their colleagues into a formidable defense force. This additional responsibility is not to make employees security employees—they have own roles.
It's more about allowing employees to invest in their company's security and performance. It’s better to be an asset than someone hoping not to make a mistake. Many employees will take this challenge to heart.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.