Better OpSec Through Collaboration
Jessica Rose is a self taught technologist obsessed with technical outreach and education. She's founded the Open Code meetup series, co-founded Trans*Code and is happily helping CrateDB reach more developers with their open source SQL database as their head of developer relations. She's always interested in hearing about new tech and projects. You can find her @jesslynnrose and on her website.
Good security starts with your team. Securing project, customer and other data is vital to your team's survival. Securing your team’s daily operations and communications is the most important first step you can take towards better overall security. But few teams manage to meet their security goals. Lack of buy in across teams and inconsistent use of security tools and practices can undermine the best intentions. If traditional, top down decrees from management for better security practices haven’t worked for you in the past, working together as a team to explore your security needs and solutions may be the fix you need.
Traditional, Action Lead OpSec
Traditionally, teams have rolled out new security from the top down, with managers directing their team to take specific actions. These directives are often divorced from the context of their security goals, leading to a lack of both understanding and urgency for the assigned tasks. A manager telling a team that they’ll all need to turn on two factor authentication on email accounts might be a familiar example of this action-focused, top down approach. Directing your team to take an action like this may seem simple but can result in a number of familiar challenges. Busy team members with little understanding of the importance of 2FA may delay or neglect to complete the task. Team members who don’t understand the purpose of 2FA may later disable the feature or develop insecure workarounds if they feel it is an inconvenience. For managers this can mean chasing your team for compliance at regular intervals.
When the CrateDB team wanted to look at our security needs, we spoke with cyber security expert Michelle D'israeli, who advised taking a wider looking approach to the way we look at security, instead of implementing solutions in the traditional, top down approach. “Two factor authentication can be a great security measure, but if teams don’t understand the benefit it brings, it can seem like a hindrance rather than a useful tool. And for some teams, there may be other security issues that they believe need to addressed more urgently”
For your team to invest in your security goals, they need to understand them. Education around the risks your actions are intended to mitigate, how the directed security actions address these risks, how their workflows will change and what security risks will remain are a vital part of educating your team. Passive experiences like videos or slideshows often fail to hold enough educational value for team members to fully invest in security processes. Active educational experiences and peer supported professional development take more time and effort but offer greater learning potential. Taking the time to invest in your team’s security education can add valuable skills that carry far beyond your immediate needs.
Start With Goals
Where leading by decree often fails, creating an environment where your team feels that they are responsible for selecting security choices can often succeed. By working with your team to better understand the risks to be addressed and what solutions are available, through education and working alongside security experts, you may guide your team to select the security actions best suited. By working with an informed team given agency and guidance you can make collaborative security choices with whole-team buy in behind them.
In environments where security actions may be directed from higher up in the company than a team lead, working collaboratively from security goals still holds potential. Your team may not have a choice in setting 2FA on their company email accounts, but may want to take additional security actions when asked to examine the goals surrounding this request.
Michelle advises that “Good security comes not from technology, but from understanding your risks, and from understanding your true business security goals”
Good operational security is a process, not a set of isolated directives. Collaborative choices made by your well-educated team need to be part of a living security process. The choices you make now may not suit your team or project in coming months and years. Book time with your team for regular security reviews and checkups. Inviting your team to regularly raise their concerns and share information helps to round out your approach to operational security.