How poor communication could be hurting your security and what you can do about it.
Lack of interdepartmental communication is hurting your IT security. And not just yours. Everyone’s. This problem spans departments, companies, industries, and state lines. This is a common issue everyone lives with. It’s ruining products, destroying employee morale, and even causing data breaches.
How does a communication error result in a data breach? To put it simply, if departments don’t work together, security doesn’t happen.
Ultimately, department heads aren’t the only ones affected by interdepartmental communication problems. If these problems lead to a breach, the entire company suffers. Not to mention the poor customers whose data was stolen by a hacker in the midst of this rampant communication debacle.
Each department hires like-minded people, which can lead to problems if each department cannot communicate effectively. Departments or teams often work against each other because of pride or elitism. Maybe they feel the other group is not competent. For example, a team may decide to branch off and handle an issue on their own because they feel the other group is too busy or isn’t capable.
Additionally, culture from other companies complicates this when employees are hired on from the outside. If an IT department hires three new employees from three very different technology companies, each will have a different expectation of how their team should operate. Some may compare their old companies to the new company through phrases such as “But at my old company…”. Others may have come from companies with a culture of good communication and become negative or discouraged in a culture of poor communication.
Another contributing factor to communication problems is what I like to call "techspeak" endearingly called "technobabble" in some circles. All industries, and even companies within the same industry, use different lingo to mean different things. In some circles, only certain verbiage is considered appropriate or accurate. You could be speaking about the exact same process, but using entirely different terms to describe it.
Here’s an example. I use the term ‘grep’ all the time, like a total geek. As in, “I’ll go ahead and grep for it.” Only a tech geek would understand that ‘grep’ is a Unix term for ‘search’. If I said ‘grep’ to upper management, they would probably think I was going to fix the problem, when I only meant I would search for a solution.
Once all these factors start muddling up departments, tension starts to build. Pent-up frustration is taken out in meetings. Departments forget to talk to each other. Lack of IT security communication becomes part of company culture. Department goals polarize. Eventually, the company devolves into tiny clusters of semi-functional groups instead of a working whole.
See also: PCI Compliance IT Checklists
It's tempting to think, “This isn’t a problem in my company.” But communication can always improve. While company policies are in place to facilitate some forms of communication or to provide positive channels for communication, policies ultimately aren't a good solution for communication issues. Working on teams day after day, trying to solve problems in large groups, dealing with different perspectives, personalities and priorities can add a lot of stress to employees. There will be times when anger, frustration, hurt feelings, pride, resentment, and fatigue create conflict. Having good communication can help your employees resolve these issues.
In my opinion, communication problems are the #1 reason you lose star employees. Communication problems are extremely demotivating to an employee. Mountains of hurt feelings, department feuds, and poor security become tiring after a few years. “Nobody even cares about security around here.” “Nobody even likes me in this company.” “Nobody even asked me for that security report last month.” IT security guys are especially susceptible to this demotivating environment.
Throughout my conversations with recruiters in the IT security and medical spaces, I have found that company culture often competes with salary as a selling point for companies. They will often upsell a better company culture over salary. Sure, salary will always play a role in their pitch, but they realize from talking to a never-ending stream of unhappy employees that company culture and team communication is the key to success and happiness. I have talked with numerous developers and salesman who weren’t even looking for a job, but jumped at the opportunity when posed a better work environment. Obviously, you can’t keep everyone happy. But if you don’t want to lose your superstar employees, this is a good point to remember.
Even more important than your decreasing employee morale is your company’s diminishing security. The reasons for that insecurity are extremely simple to fix. On an audit I conducted a few months ago, a company supervisor and I were confused why logs from the IDS/IPS weren’t being checked. When we asked, the IT employee simply stated, “The alerts from the IDS were noisy, so I turned them off.” A simple communication from IT to the supervisor would have allowed the supervisor to assist the IT employee with proper IDS/IPS configuration, allowing for a much better security posture.
That’s just a simple example that could extend to any point in your security process. Are product managers communicating the implementation dates for new products to developers? If not, security might go on the back-burner while developers scramble to launch the product.
See also: SecurityMetrics PCI Guide
Obviously, communication is a giant problem, which means you won’t be able to fix it overnight. But you can be the one to start the change at your company. Here are seven things to consider when instigating your communication transformation.
HR departments, department directors, CIOs, need to acknowledge that poor communication is probably costing you money. It’s costing you employees. It’s costing you customers.
Just for a second, think of the one problem that keeps you up at night. I bet in 90% of cases, whatever problem you are thinking of boils down to communication issues across departments. I’m definitely guilty of hastily glazing over an issue just to later realize it was a communication problem. It could have been solved right away, but since I prolonged it, it only got worse.
Now that you’ve passed the 'admit-you-have-a-problem’ stage…
It sounds like a no-brainer, but training is how you can prevent hurt feelings and process problems. Train your employees on how to talk about difficult issues, have open and honest communication, how to accept feedback, and how to listen. This can be a somewhat painful transformation, but regular training and practice can help transform your company culture.
Your trainings should probably address:
I know, the last thing you need is another meeting, but these don’t need to be long diatribes. They should focus on discussing what each department needs from the other, including timelines, milestones, and goals. Proactively and honestly talk about what’s going well, and what’s not.
Everyone has their own view on how certain issues, including security issues, should be handled. All it takes is one misguided or misspoken piece of feedback to hurt someone’s feelings and completely derail the course of your team’s security efforts.
I’ve worked with companies where both new and seasoned security experts’ knowledge is questioned. So when departments come together for a combined security effort, everyone is walking on eggshells. Be mindful of this.
Sometimes employees just want to know the ‘why’ of things. Why are we buying this product? Why didn’t we buy the product I researched and suggested? Why didn’t we implement this solution?
When employees don’t get answers to their ‘why’s’, they decide to take matters into their own hands. And that’s when security and process problems start. Remember, your employees have the keys to the kingdom. You rarely hold anything other than the checkbook. Answer those employee questions as quickly and succinctly as possible.
You don’t always have to spell it out to your IT team, but having a reason will give your team a direction and will keep their motivation up. Otherwise they may just throw in the towel (and your security with it.)
You can’t get mad at other departments for a faulty communication process if your departments’ communication process is also fundamentally flawed. So how do you prove to other departments that you are, in fact, dependable? I recommend setting up a ticketing system as transparent communication into what your department does, and how quickly they do it.
I’m not talking about conference room trust falls here. Make your exercises fun! Learn what your employee’s culture is, and adapt. For example, have your departments get together to play laser tag every month. Or get your teams to intermingle in a weekly LAN game. People that play together, stay together! Do what is feasible for your company, but make sure each group and team knows their roles, responsibilities, and are able to work cooperatively together. It really can be fun.
I’ve rarely seen a breach happen due to highly advanced cyberwarefare (although they do happen). Most IT security breaches boil down to employee communication problems, which lead to real world problems and security vulnerabilities (firewalls not properly configured, employees not trained, systems not patched, logging not enabled, etc.). The bad guys take advantage of those problems while we are arguing amongst ourselves. If you start in your own department to be more open and willing to communicate with others, I promise your security environment will begin to improve.
.svg)
