I was talking a person in the education industry recently and she related to me how schools are having issues with tablets they provide to students and school computer networks; namely the kids get around security measures and in some instances are selling access credentials or methods. Naturally the schools are paying some sort of third party for firewall, intrusion detection systems, etc, but I was surprised/not surprised when I heard how they didn’t make these vendor/product selections. They never consult the kids. They don’t consult the kids on promotional videos, they don’t consult the kids on the network vulnerabilities, they don’t involve the kids in securing the networks.
This isn’t too different of a picture from what we see everywhere else today in the security industry – the C-level knows today they need to care about the insider threat, but too often they consult only the point of sale for possible solutions when getting a reality check from the workforce could go much further. Beyond a reality check of our assets and security posture, we can go even further and actually give employees ownership over security. In my military days there was something along the lines of, “every soldier is a sensor.” It’s certainly not a new concept and really the efficacy of it lies in the execution. It’s one thing to say “we have a policy that employees report,” that’s great, you should have a policy, but policy does little to motivate on its own.
Integrating what employees (or the kids) are telling you into visible changes, or some level of transparent feedback, feeds into that sense of ownership – that’s what motivates people. In the case of the kids, I’d love to hear of a school teaching pen testing and essentially creating a white hat team responsible for the day-to-day maintenance of the school network. That’s not really practical in a workforce situation, but figuring out how to make your workforce part of your insider threat hub, rather than just a data feed you may or may not get, could change that dynamic.