Why People-First Security Matters (No Matter Where You Work)

In the world of security, we put a lot of emphasis on creating technical solutions for common issues. That is, of course, one necessity for strong security practices. 

However, as we learned from recent events, sometimes technology isn’t enough to keep confidential information safe.

I’m not going to delve too deeply into the minutiae of Signalgate. If you missed the flurry of news stories, the “TL;DR” is that top Trump administration officials inadvertently added journalist Jeffrey Goldberg to a Signal group chat in which they were discussing highly sensitive military plans.

As you might imagine, the privacy and security community had lots to say about the mishap. But instead of re-hashing the details, I’d like to focus on the resulting lesson: A solid technical implementation is necessary for security but not sufficient without considering the people using the tools.

Good tech isn’t enough on its own

Signal is a great app, and its security is top-notch. It’s end-to-end encrypted, which means that call and messaging data can only be accessed by the people having the conversation. This is different from standard messaging via SMS (text) or other messaging apps, as there is no way for a third party, or Signal, to access its users’ data. To further ensure that messages are safe, they’ve implemented easy-to-verify safety numbers to ensure that the communication is indeed between the right parties.

In addition to message-specific safety measures, the app is open source, which means anyone interested can review its implementation. There are clear settings for data retention so that sensitive data can be removed automatically. Without this type of transparency, there’s no way to ensure that a company is doing what it says it is with user data, which is why so many people trust Signal with their most sensitive communications.

It’s important to point out that Signal did not fail. Technologically speaking, everything worked as expected and as promised. But as the incident proves, using a good, secure app wasn’t enough to maintain security.

Even the best, most secure tools won’t keep your data safe if you don’t create and foster a true culture of security. It’s about more than providing the right tools and sharing a list of best practices and security dos and don’ts. It’s about developing a comprehensive policy that not only outlines rules but also communicates the reasoning behind each of them — why they matter.

While it’s common in the industry to say things like, "The user is the weakest link,” I think language like that does more harm than good. Treating your end user as an adversary instead of someone to collaborate with leads to people ignoring or misinterpreting the guidelines at best and looking for loopholes in your security policy at worst. 

You need buy-in from those on your team if you want your security strategy to be successful. That’s why I believe and follow a “people-first” approach to security.

People-first security in action

The people-first approach to security is all about partnering with your team to create a secure environment — not only through solid technology but also through human processes that include education, convenience, clear communication, and empathy.

Let’s dive a little deeper.

Education

Safety and security education includes the obvious like creating a set of clear policies and expectations, documenting them in an accessible location (an internal knowledge base like Slab, for instance), and then creating a training program to relay that information to your staff.

However, you shouldn’t stop there. If people think rules are arbitrary, they’ll be more likely to stray from them. Your security training should include the reasoning behind your policies to help achieve buy-in and make it clear why policies are relevant to your specific team and company use cases.

That’s why, at Help Scout, we don’t rely on generic third-party security training. Instead, we built our own custom training in-house, refresh it annually, and run through it together in-person at our annual company retreat. It allows us to focus on what’s most important for us as a company and easily adapt it to keep it relevant and current.

Convenience

One of the greatest challenges to adherence to security policies is that they’re often inconvenient. In an interview with the New York Times, Jeffrey Goldberg, the Atlantic journalist who was accidentally added to the U.S. government’s Signal group chat, was asked why he thought the incident happened: 

“Because going into a skiff [sic] is a pain in the neck.”

Not that this was a valid excuse in this particular situation, but generally, if you raise the bar of compliance too high, your team is more likely to take shortcuts. A people-first approach to security takes real life into consideration, focusing on rules that are secure yet practical.

Using biometrics is a great example of this principle in action. Expecting someone to enter a complex 23-character password every time they log into their accounts isn’t always realistic. Using a password manager with Touch ID enabled, as we do at Help Scout, makes it easier and quicker to have secure passwords.

Clear communication

Another important factor in this type of security strategy is ensuring that the lines of communication between the security team and the rest of the company are always open. Make sure you provide clear channels and processes for folks to ask questions and raise concerns.

Having open communication helps build trust and makes it more likely that employees will follow rules and not be afraid to speak up when faced with a potential security risk. At Help Scout, we have a company-wide “Ask Security & Privacy” Slack channel for people to alert us to issues and for us to warn about potential phishing attacks.

I also meet with every new Help Scout employee during their first month. In that meeting I tell them about all the available avenues for communication, and, most importantly, I aim to make it clear that there’s no right or wrong way to reach the team. If someone has a concern, we want them to feel comfortable reaching out to us without worrying they picked the right channel to do so.

Empathy

The most important element of a people-first approach to security is empathy. In most cases, employees aren’t trying to actively put your company at risk. I always tell people two things: First, that I don’t mind checking 99 issues that turn out to be nothing if that means I can catch the one that’s a real concern. 

And second, the sooner you tell the security team when there may be an issue, the quicker we can look into it and ensure it gets fixed. When something does go wrong, it’s always better to avoid scolding or shaming, assume good intent, and work with the team to recover from the incident.

Creating an environment without fear makes it more likely that people will admit to mistakes so the impact can be minimized and the issue resolved quickly. The goal is for your colleagues to feel like they can bring issues directly to you instead of looking for ways to circumvent them. 

Advocates, not adversaries

An effective security program not only minimizes the occurrence of security issues, it also fosters a culture in which everyone plays their own role in keeping company data safe.  

If you’re ready to put together a plan of your own, remember that good tools are critical, but good tools alone do not make a good security program. By intentionally building a well-rounded culture of security based in people-first principles, you can truly bring your team along and create advocates, not adversaries.