Culture Matters: Security Best Practices in a Global Era
As I write this, I’m sitting on an aircraft flying back from London to Austin, thinking about what I’ve learned on my most recent trip. It’s always interesting visiting another country, and so it was with some excitement that I traded the wonderful weirdness of Austin for the formality and deep history of London.
The purpose of my trip to the UK was to meet with customers, catch up with Forcepoint researchers, and to take part in an event we were hosting – a round table dinner about the intersection of HR, Legal, and Security, especially as it relates to employee monitoring. That dinner was fascinating, but I’ll save a discussion of that event for another time. Instead, I want to talk about something a little bit more personal, but directly related to those topics: culture.
Every time I fly to the UK, I try and get to my home town for a night to visit with family – I was born in England, and moved to the US in my late 20’s. When I’m in meetings in the UK, it’s all business so it feels very much like being in the USA. However, when I’m at home, in a much less formal setting, I am able to experience the subtle differences in culture. Those cultural differences are things I miss – it’s not a matter of better or worse, but there’s something wonderfully familiar to me about my English roots.
These differences are also something to celebrate, but they’re at the heart of some of the toughest challenges we face when trying to design security solutions that look at content. As anyone who has done business worldwide will attest, creating a single unified company policy without treading on the cultural sensibilities of local offices is a difficult task. In my specific world, doing that with respect to security is doubly difficult.
Let’s take a specific example: the level of monitoring that is acceptable in different environments and different locales. Here, the differences are broad: for some organizations, such monitoring is omnipresent, whereas in others it’s viewed as “impossible,” either for legal reasons or for cultural. Knowing where you stand legally is a little more black and white (as an aside, Forcepoint sponsored an outstanding whitepaper by Hogan Lovells on what is and is not legal in various jurisdictions…it’s well worth a read), so armed with the legal knowledge of what’s possible, the next step is much harder: what is culturally acceptable.
The challenge remains: how do you build a single security culture while preserving the wonderful differences we have worldwide? I would suggest that there are three key steps to take.
First, be open about the company’s real goals. No commercial company that I know of is interested in the minutiae of an employee’s personal life…the ONLY goal of monitoring is to provide protection for the company’s data and for other employees. Being clear about the objectives opens the door to a real conversation. Be honest, too, about your motives: if you are using data for something other than security, you should be clear about that.
Second, in the context of the conversation, start with what’s right, not with what can you do. Let me explain that a bit, as it’s not obvious. If we start with the law, we end with a list of things we can do (for example, you can collect browsing history but not keystrokes), and then we do those things. That’s one way to approach the problem, but it can sometimes result in over-collection for the task at hand. I prefer the human-first approach, where we look at the people, and decide what’s the best overall good for both the person and for security. Now, armed with this list, we ensure that it’s in compliance with local laws, and adjust when it’s not. The former approach leads with thinking about what you need; the latter leads with what you can get.
Finally, engage fully in each locale, involving both local HR representatives and workers councils, as well as regular members of the community. Talk about what’s being done elsewhere and why – focus on blending the global stance of the company while considering local needs and norms. Again, I can’t stress the word “conversation” strongly enough: this has to be a real dialog.
Becoming “one global company” is something that Forcepoint has spent considerable energy on over the last couple of years. After all, we have offices all over the world, from Australia to Virginia (I was hoping for a ‘Z’ there, but it was not to be…yet…I’m sure we’re working on it!), but we’re one company with one set of needs with respect to security. It’s been a rewarding ride and we’re not done yet, but I think we’ve kept what’s special about each location yet are becoming unified on the operational processes that matter. One company, one set of needs, but many different people. Culture matters.