Q&A: Meet the Infosec Director Speaking Out About the Weakest Links in Business Security

0

Human error is inevitable, but when mistakes are happening at an exponential rate in an organisation, they have the potential to seriously damage it or, worse, bring on its demise. This is especially true of cybersecurity mishaps. According to the cybersecurity and data analytics firm Cybsafe, cybersecurity breaches are primarily caused by ‘user error'. Thus, companies who are spending aimlessly on the latest security gadgets are clearly missing the mark. They say ‘you're only as strong as your weakest link', and in the case of security ‘chains', this couldn't be more crucial. With many teams now remote, dispersed, and unable to simply pop-in to, and rely on, in-office security hubs, should the focus be placed on educating employees on security best practices? 

To find out the right answer, we spoke with Lucas Szymanowski, Director of Information Security and GRC at Wrike. Lucas has been speaking out about the impact of the weakest link (employees) on business security at Wrike for just shy of two and a half years, in which he regularly explores how organisations can wave goodbye to the threats it poses. His experience, however, does not stop there. Lucas also has a history of managing risk, security and compliance, and vendor information security for the likes of eBay, LogiTech, and Salesforce. 

Thanks for joining us Lucas! Could you tell us a bit about your role. What does your day-to-day look like at Wrike and what does the GRC acronym stand for? 

Hello! No problem at all – it's great to be here! Sure, my name is Lucas Szymanowski and I currently serve as Director of Information Security and GRC at Wrike. The GRC stands for Governance, Risk and Compliance and is a very important part of what I do day-to-day. 

I have over 20 years' worth of experience in the consulting high-tech and financial service industries. During that time, I've worked with some of the world's leading technology companies, including Salesforce, Clarizen and Ebay. 

I started at Wrike in November 2018. In my current role, I oversee all of our security operations – whether its implementing risk identification, assessment and remediation strategies or ensuring that the business is meeting regulatory and audit requirements.  

Wrike, now part of Citrix, is the most versatile work management platform for the enterprise. It can be easily configured for any team and any use case to transform how work gets done. Wrike's feature-rich platform puts teams in control of their digital workflows, enabling them to focus on the most important work, maximise potential, and accelerate business growth. More than 20,000 customers, including Estée Lauder, Hootsuite, Nielsen, Ogilvy, Siemens, and Tiffany & Co., and 2M+ users across 140 countries depend on Wrike to help teams plan, manage, and complete work at scale.

The current remote working revolution has brought unique security challenges and it's arguable that this is just the start. In what ways have you had to adjust your mindset and initial approaches to security in your role?

Despite many areas of the business landscape still remaining uncertain, one thing that we can all be sure of is that remote work is here to stay in some form or another.  In fact, many businesses have already said that they will be encouraging staff to work from home more often, if not permanently, once the pandemic passes. For example, tech giant Twitter told employees in May last year that they could work from home ‘forever' if they wish, following the success of remote working during lockdown. Meanwhile, BP became the latest to implement a hybrid policy this month, requiring office-based staff to work from home at least two days a week. 

While a remote workforce has many benefits, it also brings with it many additional challenges for security teams - whether that's unsecure networks, increased phishing attacks, computer sharing or the use of personal devices to access work data. And, with the number of full-time, office-based employees only set to decline, it's critical that organisations are setting out detailed security strategies which can mitigate them all moving forward. 

At Wrike, we've also gone remote - at least for the time being. Over the last year, a large part of my role has been ensuring that our employees are remaining safe and compliant, regardless of where they are based. In order to do this effectively, we've had to focus on both technology and human elements. Luckily, our solution already provides enterprise-grade security with regular upgrades and patch management. Thanks to the controlled admin permissions feature, our IT team can decide who in the organisation has access to what information and Wrike Lock gives us full control over encryption. Of course, the human element of security is a little harder to control and we've invested heavily in training and general awareness for employees at all levels.

You recently shared your thoughts on the importance of Safer Internet Day, in which you emphasised the detrimental impact of ‘employee apathy' and ‘disengaged employees' when it comes to enterprise security.  Why are you so passionate about these matters and what do they mean in the context of security?

Traditionally, businesses have focused much of their cybersecurity efforts on keeping the ‘bad guys' out and making sure that network access is as restrictive and limited as possible. But in today's digital world, the reality is that employees across a business have access to a lot of sensitive data, making internal security a huge risk factor too. 

Whilst investing in effective security tools and technologies is important, so too is investing in the people that use them every day. It surprises many to learn that 95% of cyberattacks and information breaches are caused by human error or behavior, not technology failure.  

I'm a strong believer that if employees aren't engaged, a business is leaving the doors open to attackers.  In fact, employee apathy is one of the biggest security liabilities to any organisation. Disengaged employees are more susceptible to outside manipulation, more likely to leave systems vulnerable due to negligence, and at greater risk for leaking sensitive company information. Business leaders can invest millions in the latest technologies and the most innovative security solutions but, if they fail to ensure that employees are engaged and invested in the future of the business, they are essentially throwing that money down the drain.  

In that case, what are your top tips for boosting employee engagement with security? We did a recent Tech Chat on the current challenges organisations are facing with staff cybersecurity awareness training, so we know that that alone is no easy feat.

There are a few different ways that business leaders and IT teams can increase employee engagement when it comes to security: 

1) Engage with your audience as frequently as possible

One of the most successful changes we've made that has multiplied the return on investment is our ongoing and continuous engagement with internal staff. Our security organisation has become core to all new hire training programs and the ongoing education of all our employees. Additionally, we've made sure that the security team is always available and easy to connect with. This does require personal dedication of our team members, but the reward is an employee base that is always willing to reach out to us with questions before they become problems.

2) Point out the business impact  

Employees who are less technical might have a harder time understanding how security breaches occur and the wider impact they can have on a business. When delivering cybersecurity training, IT leaders need to ensure that they speak the employees' language and frame potential threats in terms that they both understand and care about. Pointing out the financial impact of a breach in concrete numbers can help with this. When individuals, especially those in executive roles, can visualise how a breach might directly impact their workload or position, they are more likely to follow security guidelines.  

3) Highlight personal risk 

There will always be individuals who take a more relaxed approach to security. However, by drawing attention to the potential personal threat of a security breach, businesses can make even the most lackadaisical employee take notice. In addition to business data, companies maintain an incredible amount of personal data for each of their employees and their families. National Insurance numbers, home addresses, phone numbers, family names, bank details and more could all be stored on company networks and are just as vulnerable as company data. Therefore, adhering to security standards is in everyone's best interest. 

4) Train your team to be better communicators and collaborators  

For security plans and processes to be adopted, they need to be understood and accessible to the entire business. Investing in communication training for IT teams can help them to better collaborate with other departments. Equally, partnering with communications personnel can help drive awareness of security initiatives across the company. All employees need to feel connected and on the same page when it comes to security procedures and processes. 

Now Lucas, you've been working in the security sector for over 10 years. What are your thoughts on the frequently bounced around phrase ‘Security is only as strong as the weakest link'? 

The weakest link in any organisation is the staff member that doesn't know the part they need to play when it comes to cybersecurity. This is the biggest hurdle that businesses face. Therefore, making sure that each employee understands that they are part of the bigger picture should be the goal of all security teams. 

We can achieve this by constant and ongoing communication with new hires and existing staff, as well as presenting the security organisation as being available and easy to contact. Traditionally, security has existed as an enforcement agency and we must try to change that view by making our security teams approachable and human. We can do this by integrating security into as many groups within the wider business as possible and ensuring that the topic becomes a part of everyday conversation.