People, Process, Then Technology – Security by Design

People, Process, Then Technology – Security by Design

As organisations move increasingly to cloud-based collaboration platforms, different kinds of security risks present themselves and require active management. Responsible SaaS vendors take the trust placed in them very seriously as one of their greatest assets – but on the client side there is still much which can be done to minimise exposure to breaches and hacks.

Gerald Beuchelt

Gerald Beuchelt

We caught up with Gerald Beuchelt, Chief Information Security Officer at LogMeIn, to discuss the issues that clients should be aware of – and he stressed the fact that responsibility for information security can never be fully outsourced to any tool:

“With the SaaS model, there’s no need for manual updates, the vendor is responsible and accountable for maintaining the overall quality and security of the platform. So that’s something that really makes it much more accessible and easier for smaller companies, a lot less resource intensive, [compared to choosing] an on-prem platform where you are responsible for maintaining the software and keeping it up to date.

“But SaaS doesn’t absolve the customer of the responsibility to do things right, with the software they subscribe to.”

Shared Responsibility, Shared Awareness

Deploying a communications platform like LogMeIn on a subscription basis manifestly makes things easier for the client, who can take advantage of the vendor’s ongoing work to secure the platform, and proactive engagement with security issues – such as their 18 month preparation plan for GDPR compliance, and provision of a Trust Centre to facilitate user due diligence, for example.

But clients still need to perform that due diligence for themselves, and indeed, Beuchelt stresses that technology is just one layer in the stack of defences against security breaches, accidental or otherwise. It’s more about the people and what they actually do with the tools they use, than the tools themselves:

“The critical piece in that is really employee or user education and awareness. There are three domains: People, process, and technology – in that order.”

The Human Touch

“Not to say that people are the weakest link, but humans represent the most important area of vulnerability to address. You need to make sure people fully understand what’s going on, and that they are aware of the possible dangers as well as the benefits.  Then you need the right processes to make sure they stay safe, guard rails to operate within. Finally and lastly you provide the tools and technology in order to implement them.”

He is keen to stress that it’s far more effective to have the entire team aware and alert to security and privacy concerns, than relying on the information security team to control everything. That awareness needs to be maintained and developed, so it’s part of everybody’s mindset.

“If you train them and engage them in the right way, your people can be your strongest defence”

Of course making security part of everybody’s mindset would make life easier for the folks who still have to remind people about the same things over and over…

“We would love everyone to patch in a timely manner. Use long passwords and password managers. Not be thoughtless around sharing passwords, sharing screens, what they post on social networks… to fully understand that they are part of a larger organisation, and their actions can have significant impact on the overall success of what we’re doing.”

And when this awareness is reinforced at every level, with senior management driving its importance from the top down as well as providing training from the bottom up, that really helps your Chief ISO sleep well at night. Beuchelt concluded:

“Privacy and security by design – it’s about getting that culture right”

Source link