Home / Blog / Security is about People Too… And Vacations do Matter to Security

Security is about People Too… And Vacations do Matter to Security

Posted on

I recently passed around to my team of security engineers a meme / diagram showing a “Vacation Lifecycle.” (I can’t give proper credit to it because it did not have a credit on it. So if it is yours, say so and I would be happy to provide credit or even remove it.)

Vaction LIfeCycleIn communicating with my team I reminded them that if they properly plan ahead for their vacations we can work together to minimize or even eliminate that pre-vacation mountain, which in turn smooths out the peaks during the vacation. I also reminded them of my philosophy that a) when you are on vacation you are on vacation and b) a managed reintegration is a key indicator of success. I have a philosophy that for every week you are out there is one day on the return side, that if you work diligently and don’t act like you are on vacation, you can respond to emails, get caught up and prepare for the tasks at hand in the coming days. In our case, this would include no customer communications, no tickets or new work, just catchup and reintegration. And frankly, that may include talking and sharing with your co-workers about your trip.

What does all of this have to do with security?

A few days ago I was conversing with a long-time friend about what we do in Information Security. The world sees us as cyber warriors that sit with cloak and dagger, behind a desk all day in a dark basement hacking on unsuspecting entities. I communicated to her that we do and must know so much more than hack all day. To me, that is what makes security so much fun. When we deal with vulnerability assessments we have to know building requirements, material types, and lighting types. When writing and maintaining policy or interpreting regulations and compliance requirements we have to be almost lawyers (notice I said almost… don’t want to go across that line!). When we do forensics we have to know the law and work with law enforcement or the court systems so as not to render our evidence useless by a simple procedural mistake. Security is so much more than just IT or hacking from dark rooms, which is a long winded way to say that yes, vacations and treatment of people matters in security.

People Matter:

I have long been an evangelist for people coming first in an organization or thought process and that there is a pecking order of people, processes and technology (which is a whole other blog post). Often security and IT practitioners lean in their respective direction, security people towards process (policy, standards etc.), security and technologists towards, well technology. But I strongly believe that people are key to your organization. Let me rephrase that, people are the key to your secure organization. People watch out for one another and their surroundings, pickup anomalies, ask questions, have loyalties… or not, make decisions, both good and bad.  If you have people in your organization that fear going on vacation could lead to a lost job, have greater stress overall, fear work done incorrectly by a stand in may reflect poorly on the originators work reputation, or even dread talking to co-workers, you have an organization with a culture problem, and that is a security risk. Read that again and let me put it more plainly. Unhappy people are a security risk. Sick work environments are a security risk. Disgruntled, flustered or frustrated employees are more apt to be an insider threat.

What is an Insider Threat?

For those not familiar with an insider threat, it is a threat that comes from within your own walls, either an employee, contractor, or a business associate. Depending upon which statistical group you speak to, anywhere from 55% to 70% of the threats your business faces are insider threats. Yes, you are more likely to have a security incident or breach from the inside than from the sinister hacker in his mom’s basement or off in a far flung land. Most people that are insider threats are not intending to be malicious and most threats that are realized are done so as errors or slip-ups, not targeted attacks.

Some people call former employees insider threats. I do not classify them as such. If they are no longer in your organization and work against you, they are a significant external threat.

If a company has a culture of fear that makes people concerned about taking time for themselves, taking the simple action of time off to recharge the batteries (commonly known as vacation), then this is a culture or a manager that encourages and makes people become insider threats, or a security problem. In saying that a culture makes a person an insider threat, hear me clearly, I am not saying that that absolves the threat agent of responsibility for his or her own actions. Most assuredly, when someone crosses the line into the dark side, either accidentally or by malicious intent, they must be held to account. What I am saying is that in a culture of fear and frustration, where something as simple as vacations are mishandled and maligned, the organization, manager or culture that produces that fear and frustration must be held to account as well.

What can and should be done?

As CISO’s, Security Managers or security practitioners, like any other threat, we are bound by ethics and responsibility to report situations to management, make them aware and let them decide the best course of action for the organization. In my current organization I am trying so hard to create a culture that allows the reporting of the best security practice with the understanding and intent that it be used by the management team to make informed decisions. Hopefully they will come back and ask how best to fix it, how to reduce the risk. However, if they choose to ignore or choose a different direction than the security recommendation, so be it. An informed decision was made and that really should be our goal. We could even revisit it later as the risk changes. (ps – CISO’s should sometimes learn to brush the dust off of our feet and move on to the next problem instead of harping on an informed situation too).

If you are not in security but are a manager, take stock of your team. Ask yourself how you can make the organization better by reducing insider threats. Is it as simple as helping employees that are heading out on vacation reduce that peak of stress before they go on vacation by reassigning tasks or projects a week or two in advance? Is it as simple as giving that reintegration day and protecting that for the employee on the backside of the vacation?
If you are an employee the first thing you can do is put two feet on the floor in front of your desk every morning and tell yourself to slow down, think about what you are doing and be deliberate about it. Slowing down and being deliberate can eliminate a multitude of insider threat sins. You could also approach your manager / leader and communicate constructive ways to do your job differently to reduce risk.

Together we can change the culture and reduce insider threats.