The identification of threat actors is a major part of any cybersecurity job. In order to protect against harm to your organization, you need to identify those who would harm it. The identification and classification of threat actors is covered in Objective 1.3 for the CompTIA Security+ Exam.
As I was going through this section, one thing that struck me was that this area meshes directly with a few other interests of mine: Process Design and Organizational Operations.
You see, it isn’t just hackers or Nation States (Advanced Persistent Threats) or competitors who are external to your network you need to worry about if you are working in the cybersecurity field. If you are just focused on keeping the outside actors out of your network, you are missing half of your job. Your job is to keep your organization’s data secure, and that includes protecting your organization from data loss that originates inside your own organization.
Sure, you have to think about disgruntled employees who may purposefully remove data from your network. That’s why most organizations will block things like Google Drive or DropBox from being accessed by their network resources. But most data loss from networks isn’t malicious; it’s a result of employees who are simply trying to get their work done who take risky short-cuts.
Where Process Design and Cybersecurity Meet
It can be incredibly easy as a Cybersecurity professional to prevent data loss by adding more processes. More authentication points. More approvals. More bureaucracy. You can add all of these things and then rest under the illusion that your network and your data is secure. You can impress the auditors by listing off all of the tools and hoops you have put in place to prevent data loss.
But you have a huge blind spot: Your Employees, who still need to be able to do their job. Most employees are not threat actors in the nefarious sense. They don’t want to put the organization at risk. But they have a very different set of motivators in place. They need to be able to get their jobs done. In some cases they’ve got productivity goals they are under pressure to meet by their bosses. They need to be able to meet those goals and keep their managers happy.
And if your security procedures, piled on top of them in a willy-nilly fashion slow them down…they will find work arounds. This opens up your organization to the risk of data loss, but it’s perfectly understandable why that would occur if you look at the organization holistically.
This is where cybersecurity professionals need to fully understand how the different pieces of the organization function, and how to best protect the organization from data loss without creating a process that is unsustainable. Just because a tool is the latest and greatest doesn’t necessarily mean it should be brought into your organization if you have already mitigated that risk through other means.
Don’t add more risk to your organization by forcing your employees to go around your checkpoints just to get their work done. Work with them to understand what they need to do, what their needs are, and then work together to design a comprehensive policy that will both protect the organization AND allow your employees to do their jobs.
After all…if they can’t do their jobs, the organization won’t survive. And if the organization doesn’t survive, what have you got left to defend?
To quote Red Green, “We’re All In This Together!”