How to Handle “Office Space” Moments and Move Forward with Your Privileged Access Security Program
One of the most well-known characters from the cult-classic movie “Office Space” is Milton Waddams, who famously uttered, “I don’t care if they lay me off…but it is not okay if they take my stapler!” Sometimes it feels like security teams are dealing with similar challenges, as executive leadership questions program expenditures or users balk at changing daily routines to support the greater goal of reducing privileged access-related security risks. If you’ve ever fought the urge to take a bat to your office printer (or computer… or entire data center, for that matter), this blog post is for you.
At CyberArk Impact Americas 2018, a popular “Defense Strategy” breakout session featured a CyberArk customer panel – with participants sharing their own real-life “Office Space” moments. Here’s a look back at some highlights of the discussion. Names have been withheld to protect these hard-working security leaders who have never once thought about setting their office on fire.
Mmmmmmk…yeah…we’re going to need to go ahead and secure our privileged accounts
How to build the business case for prioritizing a privileged access security initiative
The security engineer at a government technology services provider joined the organization as it was beginning its journey to the cloud, and the expectations around security, reliability and seamless integration were high. This pressure to deliver was compounded by heightened security mandates and regulations for the handling of classified information. Yet the legacy privileged access management system he had inherited kept failing, forcing him and his team to come into the office on nights and weekends for emergency fixes with increasing regularity.
He saw a critical need to invest in a strong privileged access security platform that could grow with the organization’s needs and scale to meet future use cases, but he knew getting executive leadership on board for a full rip-and-replace would be a challenge. To help build a compelling business case for change, he calculated the operational cost of this near-constant triage – a staggering $160,000 in extraneous personnel hours per year. This certainly got management’s attention, and he soon had the approvals necessary to move forward with privileged access security vendor evaluations. After an extensive evaluation process, the team selected the CyberArk Privileged Access Security Solution.
As is often the case during times of significant change, the engineer faced some initial internal pushback around the legacy system replacement. However, he was able to quickly alleviate fears by demonstrating CyberArk’s ability to meet current and future requirements along each step of the organization’s projected roadmap. The organization’s application development team was particularly impressed with the solution’s low latency, quickly realizing how it could help them to improve their security posture without hindering application development and delivery.
We need to talk about your flair
How to broaden your organization’s use of privileged access security across more parts of the organization
A string of acquisitions brought valuable new technologies and business models to a large software development company, further driving the company’s culture of accelerating innovation. However, a distributed environment coupled with a pervasive “startup mentality” presented numerous challenges for the security team. Without a centralized privileged access security solution in place, teams often took matters into their own hands, leveraging their own disparate security tools, automating and “fixing” workflows without security in mind, and even developing their own password vaulting tools. While this proactivity and overall intent was applauded, this security leader and his team needed a way to educate employees about privileged access security best practices, along with the CyberArk solutions available to them.
To drive broad awareness across groups, the security team partnered with the organization’s communications team and developed articles for the company newsletter, along with a number of how-to blog posts and wiki updates. They didn’t stop there. They also organized an internal workshop series to introduce different departments and geographies to CyberArk. Some sessions were designed for existing CyberArk users who needed a refresher (but perhaps didn’t realize it). Rather than telling them what to do, the focus of the session was on asking them what they were trying to accomplish – and why. This approach fostered a collaborative, two-way dialogue enabling the security team to empower users while also training them on best practices, processes, new features and use cases. This strategy has significantly helped to boost awareness and adoption of the privileged access security solution and has also helped business teams realize increased operational efficiency through simplified workflows and processes.
I believe you have my passwords
How to turn privileged access security skeptics into advocates
This security leader overseeing privileged access security initiatives at a global provider of risk, retirement and health solutions is no stranger to pushback. Change can be hard and preconceived notions are strong. A perfect example of this came to him one day in the form of an email, in which a stakeholder expressed skepticism around an impending privileged access security program rollout.
The security leader took time to consider that person’s perspective and then crafted his reply. In it, he stressed the unique opportunity the stakeholder – and organization as a whole – had to tailor this new implementation to their specific needs and pain points. He underscored his focus on collaboration, usability and performance, and invited a further discussion to address the person’s concerns – which the stakeholder readily accepted. The positive dialogue that followed was the first in a series of conversations that cultivated a strong privileged access security program champion for the organization.
The security leader took away three key learnings from this interaction. First, it’s important to practice and polish your pitch, so that you can communicate your vision for your privileged access security program in a compelling, confident way. Second, stop talking and really listen to what stakeholders say. Then, go beyond listening to ensure their needs are taken into consideration, while also demonstrating how the vision will equate to tangible benefits and improvements. Third, take the time to truly engage with them to gain their trust, alleviate fears, provide strong evidence (i.e. analyst reports, industry studies, etc.) and documentation (i.e., defined templates, scoping documentation, how-to’s, etc.) to support the privileged access security program’s vision, and most importantly, form a collaborative relationship so that privileged access security tools and workflows are optimized to meet their needs.
Want more tips on building a business case for your privileged access security program and getting stakeholders to give up their old “staplers” for something much better? Check out the CISO View report, “The Balancing Act: The CISO View on Improving Privileged Access Controls.”