Change is evident everywhere
Last week, at the Saviynt Converge Conference, I remembered how many things have changed in the past year, as with most year-end reviews. These types of reviews have been something that I have tried to comprehend and embrace. In many ways, it feels like my early days in the Personal Computer (PC) world, more so than the Dot Com changes of the late 1990s.
One thing that really resonated with me from Saviynt Converge was when one of the keynote speakers, Jim DuBois former CIO of Microsoft, reflected on the ever-changing landscape of enterprises. He discussed how there are key activities companies need to fix (e.g. behaviors and culture) in order to enable businesses to fix what is broken and ultimately reinvent themselves. On the plane ride home, I picked up the Southwest Airlines Magazine and saw this concept being discussed by the CEO of Southwest, Gary Kelly. In his greeting, he touched upon the importance of resiliency and gratitude and how, at Southwest, they have had to adapt to overcome big challenges to make sure the whole family of Southwest prevails.
Making changes to what is important to you and your company becomes clear in hindsight, but a little reflection of what is important and impactful will definitely help. This is a concept I constantly recall when looking at Policies and Procedures that companies consider when implementing Risk-based Controls. For example, if you have Controls that are tested monthly, quarterly, or annually and have no exceptions, maybe that control is not truly effective, or not well designed. Putting these controls in place are not considered improvements, but by evaluating individual behaviors through periodic reviews will determine the effectiveness of your overall security.
How does your organization adapt to the changing atmosphere?
At one company I worked with, there was always the dichotomy of effective security and individual user impact. In many cases, the company was very effective in analyzing the inherent risk of individual impact over control implementation risk. Specifically, by utilizing a solid Multi-Factor Authentication (MFA), the length of passwords and the frequency of changing those passwords were diminished. There was a small speed bump implementing the MFA, but it did not run the risk of having to remember 20 character passwords AND changing them every 60 days. After the initial set up and use, the number of supports calls reduced, and the primary individual’s accounts were not compromised.
The ease of use for individuals is critical for acceptance. Implementing MFA seems fundamental to the technical crowd, but to individuals with privileged access there has to be a more in-depth understanding of the business risks involved.
When this organization implemented the change to MFA and reduced password change requirements, individuals became engaged with Information Security. Employees alerted IT Security if they saw that someone was trying to exploit their account credentials. The review and change in policy actually had additional benefits to the company, beyond what was expected. Positive user behavior was improved, and a sense of ownership was created. Additionally, from a controls perspective, we could correlate and detect if privileged access was securely being executed. The access reviews detected if MFA was being bypassed, notifying the system administrator. In this case, there was a custom-scripted exception that needed to be monitored and approved by the administrator.
This is a great example of a way companies can use the review and change control policies and can improve their security posture and communication while enabling individuals to exercise good behavior. The overall security is improved without negatively impacting business outcomes.
Next time, I will share with you my perspective as well as a few stories on approaches to options on how companies are incentivizing good security practices.