Give Internal Stakeholders Reasons to Make Security Personal
It’s not unusual for privileged users themselves to be the most resistant cohort when it’s time to improve privileged access controls, and it’s easy to understand why. Without access to administrative privileges, IT administrators and database administrators (DBAs) may be unable to carry out certain tasks or use certain applications needed for their day-to-day roles. Many IT administrators, for example, believe they could do their job better with unfettered access and freedom to choose their own tools. They may view additional steps or restrictions as a burden. To address user objections related to implementing privileged access controls, it’s important to focus on communicating and contextualizing privileged account security.
Jay Leek, CISO of The Blackstone Group, stressed the importance of effective communications in a CSO article, noting that security professionals need to change how they talk about key issues: “If you can’t communicate effectively about what you’re doing, people are going to duck when they see you coming because you’re not making any sense… Your ability to articulate what their role is and why it’s important to the organization in a way they can understand is the only way to change organizational behavior.” He continued, “You have to align what you do and change the conversation to something that’s more meaningful to people outside of the security organization.”
When communicating internally with stakeholders, create messages that help them to understand how improving security controls will help them personally. For example, challenge the traditional perceptions around productivity loss. Demonstrate that the recommended security practices can actually streamline tasks and make how they operate with credentials more efficient – with benefits such as single sign-on and less tedious password changes.
Jim Motes, CISO of Rockwell Automation, notes in the CISO View report, “An advantage IT admins can really understand is nonrepudiation.” He continues, “Explain to them, for shared accounts, if we’re able to track exactly who is doing what and when, if something goes wrong with an account, you won’t be a suspect. For investigations, we’ll have a forensic trail to know it was definitely not you.” Also in the report, panelists explain that IT administrators are in a position of high trust within the organization, but often haven’t completely thought through the ramifications or how they would respond if their account was used inappropriately. Helping them to understand this highlights the critical need to make changes.
To be successful in improving privileged access controls, it’s important for the CISO and security team to focus on organizational culture and to help people navigate through the change curve. Above all, stakeholders need to have a sense of ownership in order for the program to be effective. Request their input and then incorporate it into the plans. Make sure the people who follow the new processes get a chance to review them ahead of time.
I found this chapter of the eBook particularly interesting. As a CISO, I’m sure you hear a lot about strategies for communicating with and winning over executives. Communications is an important part of the execution and success of a security program, so it’s also important to win the support of IT administrators and DBAs. For those interested in a more in-depth read on this topic, download the free CISO View report here.