People, Process, Technology: Building a Strong Security Posture within the Golden Triangle

By Chris Wayne

Although the importance of prioritizing security is universally understood, certain strategies and practices (typically the most basic) are often deprioritized or overlooked. Employee training, issuing patches, and maintaining basic best practices for good cyber hygiene are forgotten in favor of tools built on AI, emerging technology, and strategies that draw interest from business stakeholders and decision-makers. Nearly every breach points back to the need to prioritize security through the people, processes, and technology — the “golden triangle” — of a business.

How can management build a security strategy that addresses these core aspects of a business, ultimately ensuring that avenues for potential vulnerabilities are protected?

People are the greatest risk — but with the right processes, they don’t have to be

Insider threats and user errors are more likely to cause a security breach than external threats, according to a recent survey. Since most of these are unintentional and even accidental, educating end users on best practices for good cyber hygiene can make a significant difference in keeping a business secure. It’s ultimately the responsibility of company leaders to ensure that all employees, from the administrative assistant to the CEO, understand and help maintain security practices.

Required training programs are key to promoting security in businesses. Training means more than a free or self-guided online training session; while helpful to an extent, trainings must be tailored to your business and employees to be truly effective. At a high level, however, all training should:

• Demonstrate what “suspicious” looks like: It’s important to show employees the tell-tale signs of a phishing attack or other issue that could lead to a ransomware attack, virus, or other detrimental security issue. Suspicious emails should not be opened, suspicious links should not be clicked, and data should not be shared through unencrypted channels — and it’s the organizational leaders’ job to ensure employees know this.
• Explain that it’s not just about what happens online: Consider an employee who finds a flash drive in a parking lot. Flash drives might seem like an old, outdated way to store data with servers, external hard drives, and cloud storage, but if an employee who doesn’t know any better ports that parking lot flash drive into their work laptop “just to see what’s on it,” your business could become vulnerable to viruses and issues with the power to bring down your entire business.
• Educate employees on BYOD practices: In the era of remote working, security practices must extend far beyond the four walls of an office building. Employees must understand that practices like connecting to an open WiFi network — even one provided by a transit company — creates an open door for a host of security issues if it’s not password-protected.

Leveraging technology and implementing processes to achieve organizational security

Security is too often addressed on a reactive vs. proactive basis, and when security is only addressed after an issue has already taken place, it comes at a much greater cost to a company. Prioritizing proactive security practices should always be a company’s primary goal. To help get in front of potential security issues, organizational leaders can follow a few best practices: 

• Train employees for their specific jobs: Know which individuals in your business are privy to secure customer or company data, and train them properly. What are their touchpoints with security and privacy, and do they truly understand what security is and how to prioritize it? This is especially important for B2C businesses that deal with secure payments, confidential customer data and credit cards.
• Prioritize documentation and awareness: Do employees, especially individuals spearheading new projects or in charge of ongoing projects, know the proper security documentation? Are they aware of how to continually ensure security, e.g. engineers keeping their servers patched? As a general rule of, encourage proactivity instead of reactivity.
• Leverage a trusted partner: Many companies, particularly small businesses or those with limited budgets, resources, or without a dedicated security team, will benefit from leveraging a trusted partner. Outsourcing security to a company that keeps their servers up-to-date, uses an encrypted network, and constantly monitors for security breaches and issues is key to avoiding issues and ensuring data is protected and overall security is upheld.
• Implement security tools: If you are managing your own security, consider implementing a security information and event management (SIEM) tool to help monitor and manage security, flagging potential issues before they become catastrophic.

Demystifying security: an executive responsibility

In many businesses, there’s a common misconception that security must be kept a secret from employees and held ‘close to the chest’ of the individual(s) spearheading the company’s overall security strategy. Ultimately, it’s up to the executives and organizational leaders to dispel this misconception and demystify a company’s security posture. Having regular conversations about security will make it more top of mind for employees, leading to heightened awareness and increased prioritization.

Concluding thoughts

In addition to business leaders championing training and implementation of proper processes and technology, for a company to achieve a strong security posture, they must address each aspect of the golden triangle effectively. Implementing processes and strategies to help manage the people, processes, and technology of a business will help avoid potentially detrimental security issues and help keep business running as usual across organizations of all sizes.

Chris Wayne is the Chief Technology Officer at Yahoo Small Business, where he oversees engineering, production operations, support, and more.