• Platform

Baking in layer cake security

22 September 2020

A fully remote workforce could be every CISO’s worst nightmare, or it’s a chance to get creative. JUMO’s Chief Information Security Officer and Head of Risk, Rob Bainbridge puts a positive spin on how people working from home can actually contribute towards security protocols — provided you have the right awareness and support programmes in place. He compares it to baking a layer cake, where the human layer is the icing on the top, bringing everything together and giving it character.

“At JUMO, we take a layer-cake approach to security: people, product, data, ecosystem and cyber security — five layers covering all threats and risks in a way our business understands.

Being agile and mobile, we have to be smart about how we do security, taking care in choosing what to focus on, where to rely on technology, and how best to enable and not restrict our productivity.

Covid-19 is a once-in-a-lifetime event that got IT and security teams scrambling to deploy technology to secure remote working. At JUMO this has always been our objective. Sadly, like many others, we had to do some in-flight re-architecting to mitigate the heightened threats posed by full remote working (this was especially difficult when dealing with hardware issues).

We’ve always said at JUMO that security is not just a technical problem and true to our claim have sought ways to increase awareness of security risks and mitigation strategies across the business. Our first approach was not to delve into the technology but to start with the top layer — people.

Remote working relies heavily on technical controls — endpoint detection and response (EDR), anti-malware, anti-phishing, and vulnerability management, to name a few. But with the sudden transition to a fully remote business, people bridged the physical network gap and enabled security controls where technology couldn’t. Covid-19 was an event that not only tested our layered approach but affirmed it.

While we redesigned infrastructure, we were able to improve our security through staff participation. We quickly shared context and guidelines on how to do a health-check on your own laptop and created an open Slack channel to ask questions and get live support.

For the first time in my 20-year career I saw people logging tickets because their laptop was missing patches or a security agent.

When the time came for us to enable VPN connectivity to update agent settings, we helped JUMOnauts configure it themselves. Security control compliance increased daily.

Covid-19 and the transition to full remote working has opened the door to cyber security threats for many businesses, but it has also given us the chance to test and adapt our models and systems. And most importantly, to equip people with the tools to better manage security themselves.

6 things we learned about the layer cake

1. Icing first

People generally want to help and do the right thing. Give them the context and tools and you can rely on them to get security work done. For our organisation it’s an opportunity to extend response and defence capabilities, and for our people an opportunity to better understand and manage security threats in their professional and personal lives.

2. Cooking is an art, baking is a science

Fear, uncertainty, and doubt doesn’t help anyone. Create clear, articulate information about the risks and the response will be better.

3. Make recipes folks can follow

Keep the message simple. As much as we security folk love it, military jargon is not always useful.

4. Cake now or later?

Be aware of, and set tolerance for, people’s lives. Staff experienced a range of challenges that could hinder their productivity or our security mission. Be accepting of these and offer alternate options.

5. Keep it fresh

Remember the power of connection. Offering real-time avenues to discuss and resolve issues went a long way to bridge the gap created through lockdown.

6. Have your cake and eat it

Make use of connection time wisely. As a team we found ourselves spending too much time in meetings as a substitute for face-to-face engagement, and therefore sacrificed time we could be using to tackle other important people issues.”