Takeaways in this post:
- Digital channels enabling agility and growth also create both security and compliance risks.
- Examples: Slack can harbor malicious links and also inappropriate messaging; LinkedIn use can lead to both compliance violations and spear phishing attacks.
- Security and compliance need to work together to establish risk responsibilities and oversight.
- This collaboration consolidates toolsets, creates cost efficiencies, and drives effective digital transformation.
In a previous era, security and compliance departments could manage business risks in relative isolation. Security managed networks; compliance proof-read business documents or managed processes. Issues that arose fell neatly within one of the department’s purview.
Things are no longer this simple. Faced with modern forms of digital threat, compliance and cybersecurity threats cannot be regarded as separate. Security and compliance teams need to work together if enterprises want to securely embrace the channels that are central to business growth.
Digital Risks Make Department Divisions Irrelevant
In the rapid shift to widespread remote work, we saw many customers quickly adopt collaboration platforms at an all-new scale. IT was frequently the buyer. This meant they took the lead on procuring the software, and allocated a portion of their budget to pay for license costs. However, as soon as Slack or Microsoft Teams was onboarded, visibility and collaboration challenges emerged.
- On modern collaboration platforms, risks take many forms: Cyberattacks, data loss, employee conduct, compliance risks, and more.
- These risks span the traditional remit of security – and compliance.
- Malware, including ransomware, could be shared via link or file in a chat message. This is theoretically a problem for security.
- Internal bullying or staff misconduct could also be present (as at the luggage startup, Away). This is theoretically a problem for compliance or HR.
- Who owns what risks? In our experience, many enterprises have never properly answered this question.
A similar challenge emerges on a growth-driving platform such as LinkedIn. We often see our customer’s executives decide to embrace LinkedIn to reach prospects. In principle this is a smart move. However, once again, the risk profile is complex.
- As with a collaboration platform like Slack, threats on LinkedIn come in many forms.
- These include traditional security threats and compliance risks.
- Communications with prospects or potential hires need to obey company policy. If the executive is in a regulated industry, the compliance team needs to be extra wary of non-compliant communications.
- At the same time, the executive is under very real threat of spear phishing. Guarding against this type of soft attack is the responsibility of the security team.
- Once again: Who owns what risks? Who is responsible for securing LinkedIn so that the enterprise can drive business outcomes with peace of mind?
Teamwork to Bring Security and Compliance Together
The nature of modern cloud channels means that cloud security and compliance are inextricably linked concerns. Security and compliance teams working together makes business sense because this collaboration:
- Provides true visibility and coverage;
- Consolidates toolsets;
- Creates cost efficiencies;
- Drives the kind of transformational change that powers business growth, ie. the enablement of WeChat, WhatsApp, and other tools.
A properly unified approach is more essential than ever in a time of unprecedented levels of remote work. A recent survey revealed that, with remote work now the norm, CISOs are concerned about a new set of related issues. 49% are worried about cloud usage vulnerabilities; 45% are worried vulnerabilities stemming from personal device use. 41% believe there are very real risks with “unvetted apps/platforms,” and 39% think the same of “new vulnerabilities in existing apps or platforms.”
CISOs are right to be concerned. All of these risks are very real. And the threats at hand threaten both security and compliance – interchanging and appearing together in the channels, targeting the same staff. An effective security and compliance suite can empower enterprises to implement the following principles:
- Don't silo toolsets
We’ve encountered companies where HR, Compliance, Legal and Security all procure separate Slack instances. This sort of siloing is antithetical to the sort of teamwork that enterprises need to properly secure themselves. Tools need to span the whole organization, so that teams can share visibility and tackle threats together.
- Roles and responsibilities need to be established
Even with a best-in-class security and compliance suite, communication is key. Key stakeholders and line of business owners must be communicating about how their approach to the enterprise tech stack is changing. If Sales is finding itself relying more and more on WhatsApp, both security and compliance need to know. If Microsoft Teams is being procured, ditto. The only effective way for cybersecurity policy and compliance policy to be in harmony is for staff to have a full view into how channels are being used, enterprise-wide.
With this communication in place, clear roles and responsibilities can be established: Who is monitoring employee conduct, and where? Who is monitoring data leakage, and where? How is reporting happening? These and many other questions, unique to each enterprise, need to be answered.
- Data must be comprehensive and searchable
Faced with the enormous amount of data that enterprises gather, security and compliance teams have different needs. Compliance needs a thorough and unbroken record of events. But security just needs rapid access to certain live issues. This is often where cloud access security brokers (CASB) fall down. They restrict access to a team's instance, but they are blind at the message level.
Enterprises need a platform that implements full and flawless record-keeping. They also need the platform to possess visibility into the word and sentence level of all communications, and for the data log to be fully searchable. If a platform can close this gap, it will empower cybersecurity and compliance to work from the same starting point and get out of their silos.
- Visibility across the enterprise is required
Once the risk landscape is better understood, you need software that can keep pace with the volume and velocity of digital communications. Manual monitoring or review is a non-starter. What is required is a security and compliance suite driven by machine learning. Modern-day risks and channels are in the cloud, so the tool must provide cloud-native defense. Teams need to detect threats at the app layer, and quarantine them before they can do harm, or transit through VPNs to corporate systems. Larger enterprises will want rapid deployment for multi-regional teams.
A Unified Cloud Security and Compliance Approach: Everyone Benefits
What do the different key stakeholders at a typical enterprise want?
- The CFO or CMO wants to fortify digital channels against both security and compliance risks, so that they can increase productivity without increasing headcount.
- The Chief Compliance Officer or General Counsel wants to ensure that the data/IP being transmitted in cloud applications not under enterprise control are secure and compliant.
- The CMO & CEO wants to securely empower the executive team and recruiters to communicate effectively on channels like LinkedIn and WhatsApp.
- Marketing & Sales want to guarantee the accurate representation of products on services on social media and the web, and they want to know about any malicious intent on the dark web.
- The R&D department or the CPO want to know immediately if there is any IP data leakage occurring within a private chat or collaboration channel.
Fulfilling all of these wants is only possible if security and compliance work together.
Enterprises that continue to operate in silos will simply not keep up. The nature of modern work is that security and compliance risks manifest in the same places. Often, they manifest within a large, complex, intertwined mass of data that is difficult to parse. Only teamwork can solve this challenge and drive effective digital transformation over the coming years.