How to Assemble a Solid Security Team

I think most company leaders want to believe that all their employees are honest and trustworthy people—until they discover otherwise. I can’t count the number of prospective clients who have put off buying our employee monitoring software and, a couple of weeks later, called me in a panic because someone had stolen sensitive information or intellectual property.

Trying to close the barn door after the horses have bolted is a tough and bitter lesson.

Every company, from the smallest proprietorship to a Fortune 500 member, has valuable assets to protect. No one can afford to be without a security plan that keeps tabs on its employees. Yet astonishingly, not enough companies devote adequate resources—both dollars and human capital—to build a solid security team.

What does an ideal group look like? It draws from several functions and departments—the C-suite, legal, human resources, information technology, and, of course, security. Each has a stake in safeguarding a company’s proprietary data; their different roles form an interlocked whole in the best security teams.

Obviously, it’s easier to assemble such a squad in a large corporation, but I’ve known mom-and-pop operations where one or two people have played just about all the necessary parts and outsourcing what they can’t do. So, let’s break down the functions of each role.

The C-suite defines what’s at stake for the company and frames a general plan for safeguarding the company treasure: IP, client lists, account information, projects under wraps, and so on. Executives can also define the tone of any sort of plan to monitor employees, from the degree of transparency and informed consent to the assurance of respecting privacy.

Legal navigates security procedures for companies doing business abroad by complying with different in-country laws affecting security. It also lays down procedures to ensure that anyone can be terminated for cause and it has the company’s back in case that employee decides to sue. And, if you decide to use some system of employee monitoring software, legal can assign everyone a risk score, depending on title and access to sensitive information.

HR, as I’ve mentioned in an earlier post, is at the hub of a good security team because it interacts with more company employees than anyone. People gravitate to human resources, sharing stories about the workplace and their personal lives, while knowing their confidences won’t be broken. It can be a critical place for someone to call attention to a troubled employee—themselves or others.

HR can also alert the right people in the company without compromising someone’s privacy. Ken, for example, may have an alcohol problem; HR can notify security to keep an eye on him without specifying the exact cause. The HR department is also instrumental in providing important context if someone changes roles in the company. When Susan gets promoted from personal assistant to office manager, her “normal” activities change and her risk level may rise. IT and security need to know that in order to adjust her level of monitoring—or to prevent an investigation that may not be necessary even if her workplace activity and behavior change.

IT knows the company networks and exactly how people use it. Among other things, it provides the know-how for installing, running, and maintaining systems that monitor employees and keeps an accurate record of any anomalous behavior. The typical IT practitioner—and I’ve worked with hundreds and hundreds of them—likes order and hates conflict. If an executive says: “We just fired a VP and I need to see the last 30 days of his activity record”—his emails, chats, texts, downloads, time spent on various systems, etc.—no developer wants to get caught short. Keep the IT guy in the loop and he’ll happily deliver.

Security folks, as we all know, are a special breed. These days, many of us come from a military or law enforcement background. We bring critical judgment and natural investigative skills. Yes, we need to get up to speed with the company’s technology environment, but once we do, you can count on us for a keen nose to scent anything that’s gone awry and the sort of peripheral vision that sees something no one else does. We’re at our best when we work hand-in-hand with someone in HR to tell if our activity monitoring is on target or a false positive—and whether to proceed with a deeper investigative dive.

Each of these roles plays a critical part in protecting your company. Working together, we can all become an almost unbeatable team.

What’s Hot on Infosecurity Magazine?