In the world of IT, chief information security officers (CISOs) have been seen as the bad cops. They are the ones preventing a company's employees from taking advantage of all the wonderful data-sharing tools at their disposal. It's the security organization that limits users' access to Google Drive or Dropbox, blocks personal email, and pulls the reins on Slack.
As the old joke goes, CISOs put the "no" in innovation.
Sadly, this is still true in some organizations. But I'm happy to report it's not the case everywhere. At companies that are driven to out-innovate their competitors, employees are encouraged to share files, flip documents to one another, and workshop projects with colleagues in real time. In these companies, security teams have figured out how to make file sharing via cloud collaboration tools safe and secure.
I am challenging more organizations to adopt similar approaches to collaboration. Here are some key considerations that security teams—and CISOs—should take into account on their journey to secure collaboration.
It's the data, people
Enterprises that are keeping pace with today's digital workplace rely on dozens of data-sharing tools, from email and chat to collaboration platforms and online storage. Some of these tools have been approved by IT and security organizations; some have not.
In fact, according to the 2020 Global Data Exposure Report, 37% of employees use unauthorized apps such as WhatsApp, Google Drive, or Facebook to share data with co-workers every day.
Employees are usually not using unauthorized apps to make their companies less secure. Most often, they're doing it to share ideas and move their companies forward. And if security tries to keep employees from using these tools, or limit their options too severely, a significant number of employees will sidestep and use them anyway.
For this reason, security solutions should be focused on the thing that matters most—tracking the data that's being shared regardless of the tools employees use to share that data. As long as security can monitor where the data is going, who it's being shared with, and whether it's leaving the organization, they can support the collaboration tools their employees need to keep the company moving forward.
[ See TechBeacon's special coverage of RSA Conference 2020. Plus: Don't miss the post-conference highlights from RSAC 2020. ]
Partners in security
Secure collaboration is about more than simply encouraging collaboration and monitoring data flow. It's about partnering with employees to help them use file-sharing tools more securely.
When internal groups come to security and say, "We really need to use this new tool," the first response should be, "Have you tried this other application that we already have, which does the same thing?" And if that new tool really does offer something unique and valuable, security should consider adding that solution into the mix and start monitoring how it's being used.
Then, spend a lot of time training employees so they know the right way to use file-sharing tools—and so you can reduce your risk of falling victim to unintentional insider threat incidents. If you can, dedicate a training and awareness person to make sure users know how to set their permissions so they don't share sensitive data too publicly or widely by mistake.
Effective security needs to be a collaboration between the team responsible for ensuring data safety and the people who use that data to help the business achieve its goals.
Acceptable levels of risk
Ultimately, the job of the CISO is not to eliminate all risk in the organization. Even if that were possible, it would grind business to a halt. A CISO's job really comes down to balancing risk and reward. And that means collaborating with other business leaders in the C suite.
CISOs should constantly take cues from the board and CEO about the risks the company is willing to take in order to reap certain rewards. CISOs also should help educate other leaders on the potential pitfalls a new technology, market, or geography may pose. That way, they can have a frank discussion and come to an understanding about it.
Pull the necessary people into a meeting and talk through the likelihood of risks or something going wrong, the impact an incident might have on the business, and how to mitigate it. At the end of the day, it should never be just the CISO making the risk decisions for the whole company.
Innovation with security can happen
There are enormous rewards to encouraging employees to share data and innovate. Organizations just need to come up with creative ways to monitor what's happening and gain visibility into how data is being shared.
It's possible to be both an extremely innovative organization and one that's highly secure, if you're willing to take the necessary steps.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.