In an ideal world, employees would work closely with IT folks to ensure the security of their devices. But in reality, there’s often animosity between security teams and end-users. The lack of trust and collaboration undermines organizations’ efforts to enforce security policies.
We need to change how we approach security from the ground up.
Let’s look at why enforcing cybersecurity policies is so hard, how Honest Security flips the security script on its head, and how you can implement the principles of Honest Security to ensure compliance without rigid management that could erode employee trust.
Simply put, security teams and employees aren’t rowing in the same direction.
Security teams see themselves as a “fighting squad” and would do anything at all costs to protect the company. While they focus on reinforcing the fortress, they often overlook how they interact with end-users — the human factor that could make or break security measures.
Most security teams don’t give employees personalized advice. They rarely seek permission before making changes to users’ devices. They don’t ask employees for their input, such as whether an upcoming security change may impact daily workflows and productivity.
Meanwhile, the security industry is constantly developing new tools to extend visibility and control employees’ digital assets. These endpoint agents give security teams full access to users’ devices.
Administrators can download documents, view web browsing history, install software, check a device’s location, and erase files without the user’s consent or knowledge. Without proper communication and mutual respect, many employees find the approach dishonest.
For example, you receive a notification that your OS needs an update. Alas, we have all become experts at hitting “remind me later.” The IT team gets an alert that your OS is out of date. After a couple of emails or phone calls, they threw their hands in the air and just hit the button on their end. As your computer installs the patch, you wonder what else the security team is doing or can do in the background.
The IT team thinks that employees are uncooperative, hampering their best effort to keep everyone safe. So they up the ante and get more powerful and intrusive tools. Meanwhile, employees don’t want to be treated like kindergartners — being constantly monitored or told what to do.
Many companies end up in a situation where security teams and employees talk past each other or try to out-maneuver each other. IT teams don’t trust end-users to do the right things, and employees think IT is spying on them.
Such distrust makes the relationship ineffective and unsustainable. Organizations need a different approach to enforce security policy and achieve compliance.
Honest Security is a set of user-focused principles to help IT teams implement endpoint security and device management while preserving company values such as transparency, trust, and personal responsibility.
Honest Security helps security teams build effective working relationships with the end-users they defend. The practical techniques protect the dynamic between IT and employees from being harmed by dishonest approaches.
Honest Security gets to the root cause of the tension between security teams and end-users.
It’s the response to the shortcomings of traditional security solutions, which rely on strict enforcement and surveillance. It helps companies and IT teams establish healthier relationships with end-users. Ultimately, Honest Security allows organizations to create a better employee experience while having a more sustainable way of enforcing security policies.
Successful implementation of Honest Security starts with a sound strategy guided by the five tenets. Here are the key steps to include in your approach:
Honest Security focuses on educating employees about security and improving users’ adherence to security teams’ recommendations and compliance objectives. Therefore, your goals and measures for success should also take a user-focused approach.
Tricking employees into compliance isn’t the same as training them. Meanwhile, delivering the appropriate information at the point of performance can help increase the effectiveness of your strategy.
Automation won’t help you achieve 100% compliance because it can’t take contextual information into account to deliver the best user experience without compromising security. On the other hand, empowering end-users with the appropriate knowledge and winning their cooperation is the key to long-term success.
Getting informed consent from end-users to collect their data is the foundation of Honest Security. Informed consent isn’t a one-and-done item on the to-do list. You should get informed consent whenever a lack of it could damage the trust between end-users and the security team.
However, it’s impossible to get informed consent for every action. This is where the principle of transparency comes in. For example, all users should be able to access a privacy center and see how the IT team uses the access they have granted earlier.
Being honest about how you collect data and how consent is used minimize the chances that employees would go behind the IT team’s back (e.g., using personal devices to handle sensitive information.) When employees use endpoints that IT can monitor, the security team can collect accurate information to inform its decisions.
Your defense is only as good as the weakest link in the security chain, which is often the actions of uninformed employees. But no one likes to be reprimanded like a child — how can you correct erroneous behaviors while building trust?
The key lies in delivering the message, not as a “you’re doing something wrong” alert but as a well-crafted recommendation that not only instructs but also informs and educates — inviting further discussion to build trust and understanding.
Deliver these recommendations at the point of performance through a trusted communication channel, so users can take corrective actions when they’re actively making the mistake. This increases the chances that users will retain the knowledge in future situations and are empowered to do the right thing.
To ensure compliance over the long term, you need to support employees to implement the knowledge they have gained through training and education.
Reinforce consistency in taking the right action by setting up proportional and predictable consequences (e.g., access restrictions.) Explain the nature of the consequences when a recommendation is delivered. Activate them through an automated system and give users clear instructions to resolve the issue.
Some users may prefer a traditional device management approach to avoid getting locked out of critical accounts or services. You can offer opt-in management so the security team can implement the recommendations on the employees’ behalf.
Many people don’t like change, even if it’s a positive shift. Using software and automation alone can’t help you overcome resistance, encourage adoption, and ensure compliance.
Coaching gives you the human-to-human interaction to address end-user concerns. A successful coach prioritizes employee happiness and productivity while aligning employees’ preferences with the security team’s objectives.
Also, create opportunities for employees to share their feedback. Then, respond to the input with empathy and understanding. Meanwhile, implement a sunset plan for any software that doesn’t adhere to the Honest Security principles and communicate the transition with end-users.
Honest Security is different from traditional approaches to IT security, and you need a tool designed specifically to support the principles.
Use an endpoint security solution that allows you to clearly communicate your organization’s security guidelines and help users comply with security policies without rigid management. It should immediately and automatically notify users of security issues and guide them through self-remediation steps at the point of performance.
By reaching out to affected users and helping them take action, such software allows you to crowdsource security workloads. Users are empowered to remain the administrator of their devices without compromising your company’s security and compliance goals.
Kolide is an endpoint security solution built on the principles of Honest Security. Unlike other solutions, it prioritizes users’ privacy. The user-focused approach to security allows employees to see what data is collected, who can see the data, and even view the full source code of the agent running on their devices to achieve full transparency.
Kolide’s Device Trust solution delivers educational notifications and recommendations when their devices are out of compliance. If a device isn’t a secure state, an employee can’t authenticate until they’ve fixed the problem. This approach balances the legitimate need for enforceable security with employees’ need for privacy and agency. Hundreds of fast-growing companies are already using Kolide to enhance endpoint security without locking down employees’ devices and hampering their productivity.
Watch our on-demand demo and see how it Kolide’s Device Trust solution can improve security in your company.