As organizations become global, often so do their security teams. Increasingly, CISOs are being asked to staff and organize security teams that support the organization locally across a variety of geographies – it’s no longer just about building a 24/7, world-wide security operations center (SOC).
Now, security teams must address complications that account for local cultural expectations of what constitutes a security threat. For example, in some cultures fake news is considered simply a nuisance while in others it’s treated as a digital threat that can result in significant reputational damage or even physical violence targeting an organization. But unfortunately, this nuance is all too often missed when building and maintaining a security program, and the resulting one-size-fits-all approach that security teams historically build tends to fail.
Today’s SOC leaders must create security programs that are flexible enough to account for different cultural perspectives, but still have the proper guardrails in place to ensure maximum security for their organizations. This might seem like a daunting task, but it can be accomplished as evidenced by the work Cimpress SOC Team Lead Intidhar Ayadhi is doing at her organization. According to Intidhar, there are a few best practices to follow that can strengthen a security team’s ability to protect its global organization from today’s cyber threats.
Making Threat Models Relevant
Certain geographic locations have a higher tolerance for risks than others. As much as it makes sense to put global security standards in place that set a framework for everyone to follow, security teams must be sensitive to cultural differences and build programs that are relevant to the various locations they support.
To successfully do this, security needs to work hand-in-hand with business leaders when creating the threat model. Since business leaders identify and set company goals specific to their location, they have a better understanding of what types of threats will stand in their way of meeting those goals. Security’s role, in this case, is not to dictate what the threat model should be, but instead to design the process for protecting against the threat model by mapping the security infrastructure back to the business objective.
Policy: Awareness Not Restriction
Many organizations will create a policy framework that standardizes procedures employees need to follow to protect confidential information belonging to the business – such as proprietary data living both on-premise and in the cloud, and the use of business assets, such as hardware, networking and computing devices.
However, security teams need to tread a fine line when creating their policy frameworks – they shouldn’t discourage employees from working the way they want and from the devices that make them more productive, but at the same time, they cannot forsake the security of the business while doing so. This is especially paramount for global organizations that may have employees working from remote locations while using personal laptops and other devices.
For these reasons, policy frameworks should be designed with an eye to increase employee security awareness instead of restricting, or in some cases denying, access to the devices they like to work from. The policies that work best for global organizations are uniform frameworks that account for basic security sensibilities but that also engage employees to be responsible. For example, ensure employees understand they should not click on links sent by sources they don’t trust. On top of that, policy frameworks should also incorporate detection and response capabilities so that if an employee does make a misstep or even acts maliciously, security can respond and correct the issue right away.
Working Together with Security
There is a general misunderstanding that employees should only interact with the security team when something goes wrong. Instead, the best security teams are approachable to everyone and encourage all employees to engage with them to ask everyday questions – like how to secure their social media accounts, or which applications are more secure to use, etc.
When everyone in the business feels empowered to engage with security, then they become more aware of the important role security plays and thus will less likely face compromising security issues. On the flip side, security will have a better understanding of how the business is conducted across different departments, thereby strengthening the team’s ability to create the security infrastructure that supports the organization’s goals. Best-in-class organizations will proactively engage the security team in larger risk management decisions.
Hiring for Diversity
One of the most important things an organization can do to strengthen its global security operations is to ensure different cultural perspectives are represented in its hiring process, and thus its workforce.
A challenge that security teams often run into is they will treat every breach or security issue the same. This approach is not viable for long-term success of the business since breaches are constantly evolving. Change in how security teams operate is desperately needed to keep pace with new threat landscapes, which is why employee diversity is so important. People who live in different parts of the world can offer new ways to secure against different attacks simply by sharing their unique understanding of how to stop a threat they’ve encountered that no one else has.
When the hiring process embraces diversity and change, the security infrastructure will mature naturally. And as teams empower individuals to share their diverse perspectives with the organization, recruiting and retention numbers will naturally go up, which is a recipe for success for everyone – employees, the security team and the business.
At the end of the day, it is important for security teams to understand how threats are perceived across all regions and by different employees with unique backgrounds. Only then can teams build a global security program that works to combat today’s sophisticated threat landscape, and more importantly, can stand the test of time.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.