Even in tech companies, people are the key to effective security

An extensive roster of security champions has proven pivotal in building an enterprise-wide security culture inside the global operations of security vendor LogMeIn, according to a company CISO who sees people engagement as the most important part of ensuring good security.

That may seem counterintuitive in a company that has been growing rapidly in recent years on the back of its security technologies – which include LogMeIn’s remote access tools as well as the recently-acquired identity and access management (IAM) giant LastPass and Citrix Systems’ former GoTo remote-access and collaboration products.

Yet building secure products requires secure thinking at every level of the organisation, CISO Gerald Beuchelt told CSO Australia – and that means getting everyone reading from the same secure playbook.

“At the end of the day we are running our own software,” he said, “but the infrastructure that we are running on needs to be just as well-secured as the code that gets generated.”

With this in mind, Beuchelt made staff-driven engagement a key priority after he began working with the company in mid 2017. He organised the security team into functional groups focused on application security, infrastructure security engineering, and security operations – including targeted activities such as vulnerability management, threat hunting, threat intelligence, and forensics.

The structure included the creation of a small security engagement team focused on security awareness training, employee engagement, public service announcements around security, security alerts, and the like.

The team also has expertise in governance, risk, and compliance (GRC) capabilities, which have seen the security team “take ownership of the entire governance of the information security-related policies,” Beuchelt said.

“Our compliance program includes voluntary activities such as SOC Type 2 certifications, which are good drivers for bringing home good security practices,” he explained. “They’re also very effective sales and business-acceleration tools: you can really shorten a sales cycle significantly with an appropriate set of security reports.”

Simply having these activities happen in the background isn’t enough to maintain a security-focused culture across the entire organisation, however – and that’s why a key part of Beuchelt’s organisation has been the establishment of a “comprehensive” network of around 120 security champions, who work with the 35-strong security team to ensure that core messages around good practice trickle down to every corner of the organisation.

Those champions “are fully integrated in their teams but also commit to spending additional time to act as force multipliers for us,” he explains.

“We give them competition and training opportunities that we would not be able to give to others, and we rely on them to push our security messages deep into the teams, and to act as local experts around security.”

That approach has proven to be “very effective” in providing the scalability that the security team needs to get its message out. “Particularly for a company like ours, which works in security and in a software-as-a-service environment, this is a very effective way of doing this,” Beuchelt said.

“Without the full support of the champions, I could have two or three times as many staff,” he said, adding that maintaining this level of support is one of the things that keeps him up at night.

“It’s really about making sure these kinds of outreach programs and engagement activities really are successful, and ultimately that they catch on with people,” he said.

“We are way past the time where the security team comes in with a big stick, tells people ‘you can’t do that’, and shuts down systems. It’s all about optimising our delivery of our mission in a collaborative way that still achieves our security goals.”