SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Partner content
Story image

Without trust, your security team is dead in the water

By Jessie Chiang
Tue 5 Jul 2022

The rise of cyberattacks and data breaches has increased the need for sound security that works across any type of business. But with any change in an organisation, buy-in is essential.

Airwallex's head of IT and information security Elliot Colquhoun says from a security perspective, organisations tend to over index on reviewing security controls, such as those implemented by a vendor or implemented within their own environments.

"This is a useful lens for business as usual, however, security professionals should expand their evaluation to also include the human and often undervalued aspects of trust," he says.

"Do your employees trust your security team? Do your customers have a positive perception of your security that has earned their trust?"

Colquhoun says having the trust of employees and customers is a force multiplier for security. At Airwallex, the staff are generally passionate about privacy and understand the impact of security changes, and so positive engagement is critical.

"We have seen first-hand that the high level of trust from our employees results in easier and more effective implementation of security changes and controls. The impact of this extends to our customers – their increased trust in our controls drives loyalty and wider adoption of our products," he says.

Later on, this positive branding also becomes a differentiator and a revenue multiplier. Companies get greater customer access because they have the perception and brand to convince their internal security teams.

How can security leaders build trust with employees and customers?

Trust is built on communication and transparency. Colquhoun advises that companies should share what is on their roadmap and openly discuss recent incidents or investigations. Focus on the impact of changes they're making and explain why they are required.

"Recently, we implemented a VPN which performed TLS interception. Naturally, some employees had concerns about the privacy implications, particularly for personal internet browsing," says Colquhoun.

To navigate these concerns, Airwallex took several steps to ensure its staff backed the objective, including:

1. Distributing a fact sheet that helped explain the privacy considerations in as simple language as possible
2. Writing an internal blog post explaining why it was implementing these changes
3. Hosting town hall meetings in each region, allowing employees to voice any concerns and the security team to answer any questions.

"Being transparent made our employees feel heard, and this increased the overall uptake and integration of the VPN. Some of our most cynical users turned into supporters who helped build our VPN into firewall rules for tools within their departments," says Colquhoun.

"Transparency is equally important for your customers as it allows you to demonstrate the maturity and strength of your security program. It's important to define the perception before customers define it for you."

"For example, we list our security certifications and details about our security program on the Airwallex Trust Centre, an NDA-protected portal on our website. We also publish blogs –such as our engineering team’s Medium page– and open source parts of our security infrastructure, in an effort to be transparent about our security program and share learnings with others in the industry."

Building security into a business identity transforms how its customers view its implementation – from simply alleviating a user experience pain point to adding real value to the customer's experience.

Traditional security engagement programs have turned into a box-ticking exercise

Increasingly rigorous regulator and partner requirements for security awareness and vendor reviews have driven a need for a very specific engagement model. For employees, this is typically annual security awareness training. For customers, this is likely SOC2/ISO27001 or similar audited reports. Unfortunately, while these strict requirements are the minimum acceptable controls for a regulator or partner, they often fail to drive meaningful engagement.

Colquhoun says if we're honest with ourselves, these box-ticking exercises alone do not represent the ever-evolving security program required to safeguard against modern threats. They also lack the opportunity to showcase the meaningful and differentiated controls implemented by security programs.

This is where a dual approach can be most effective.

"At Airwallex, we strengthen compliance-driven security awareness to meet regulations, with 'behind the curtain' awareness events to build trust and transparency," he says.

"Each quarter, we run an in-person session open to all staff; diving into some recent security investigations, giving our staff a better understanding of what the security team works on, and the kind of threats we are protecting our company from. This transparency leads to increased trust."

Colquhoun says frequent communication and transparency are critical when implementing a security program that prioritises building trust. Therefore, when designing a program, businesses should consider the following:

  • Do employees know what's on the security team's roadmap for the year?
  • Do employees know why different security controls are being deployed and the risks and threats they aim to reduce?
  • What is your customer's perception of your security?
  • How closely does that customer perception match the state of your security program?
  • Are you proactive or reactive with your communications?

Additionally, a senior management team with a deep understanding of how security impacts the business and its operations, is critical in determining the success of a security program. Engagement metrics – such as employee surveys measuring trust in your security team or increases in reported security events – are useful for obtaining trust from senior management.

"All of these methods require time. While a relatively easy and impactful addition to budgets and roadmaps, trust isn't built overnight, but once earned, the return on investment is priceless," concludes Colquhoun.

Related stories
Top stories
Story image
InternetNZ
How well do rangatahi understand cyber safety in Aotearoa?
Do rangatahi in Aotearoa understand the importance of being safe online, or has lifelong exposure to the internet resulted in widespread complacency?
Story image
Data Protection
Zero Trust, but verify - finding the OT in ZerO Trust
The move to remote and cloud-based technologies has shifted the goalposts for cybersecurity. It now needs to cover multiple people, devices, platforms, and networks.
Story image
Cloud Security
Tenable makes additions to Cloud Security portfolio
Tenable has announced additions to Tenable Cloud Security that represent the next step in assessing threats related to cloud vulnerabilities.
Story image
Microsoft
Avast reveals zero-day exploits targeting Chrome and Microsoft
Avast, released its Q2/2022 Threat Report today, revealing a significant increase in global ransomware attacks, up 24% from Q1/2022.
Story image
Cybersecurity
Education sector seeing highest volumes of cyber attacks
When breaking down the numbers to education attacks by region in July 2022, A/NZ was the most heavily attacked.
Story image
SaaS
Cloud and data protection big challenges for NZ businesses
"This surge towards a cloud-first approach meant security and safety became afterthoughts - there's no point being the fastest car on the racetrack if you crash.”
Story image
VMware
Latest VMware threat report reveals truth about deepfakes
"Cyber criminals have evolved. Their new goal is to use deepfake technology to compromise organisations and gain access to their environment."
Story image
Cybersecurity
Datacom research explores reality of zero trust in A/NZ
Zero trust is fast emerging as global best practice in cybersecurity and local leaders are on board, with 83% considering it essential to security.
Story image
Malware
Avast One extends protection with Online Safety Score
Avast One has extended its cross-platform support by adding its Online Safety Score feature to both the Mac and iOS platforms of Avast One.
Story image
Data Protection
Video: 10 Minute IT Jams - An update from SearchInform
Alexey Pinchuk joins us today to discuss the role the company plays in helping organisations manage risk and provide better security outcomes.
Story image
Surveillance
Ministry will no longer accept equipment from Chinese firm Hikvision
The Ministry of Business, Innovation and Employment (MBIE) says it will no longer accept equipment from a major Chinese surveillance camera maker.
Story image
Gartner Magic Quadrant
Gartner names Lookout a Visionary in 2022 Magic Quadrant
Gartner has recognised Lookout as a Visionary in the 2022 Magic Quadrant for Security Service Edge (SSE) and one of the top three offerings in the 2022 Gartner Critical Capabilities for SSE report.
Story image
Mergers and Acquisitions
Netskope acquires Infiot, delivers integrated SASE platform
Converged SASE platform provides AI-driven zero trust security and simplified, optimised connectivity to any network location or device, including IoT.
Story image
Open source
Flashpoint acquires Echosec Systems, elevates OSINT capabilities
Flashpoint has acquired Echosec Systems, a provider of open-source intelligence and publicly available information.
Story image
Compliance
Why security needs to shape your journey to the cloud
It's estimated that 80% of workloads could be in the cloud in the next few years. How can you make all that data secure?
Story image
Government
Mandiant researchers uncover significant new disinformation campaign
Researchers from Mandiant say they have uncovered a significant disinformation campaign from the Chinese Government in the wake of U.S. Speaker Nancy Pelosi's visit to Taiwan.
Story image
Gartner Magic Quadrant
Gartner positions Commvault as Leader in 2022 Magic Quadrant
Gartner has named Commvault a Leader in its 2022 Gartner Magic Quadrant for Enterprise Backup and Recovery Software Solutions report.
Story image
IDC
High level of Customer Identity & Access Management adoption
The study from Okta revealed that the pandemic has either accelerated or highlighted the need for digital-first strategies.
Story image
Google Cloud
Google Cloud to open first cloud region in NZ - among others
Google Cloud has announced plans to bring three new cloud regions, one each in New Zealand, Malaysia and Thailand.
Story image
Gaming
Attacks on gaming companies more than double over past year
The State of the Internet report shows gaming companies and gamer accounts are at risk, following a surge in web application attacks post pandemic.
Story image
Ransomware
Ivanti and SentinelOne partner on patch management solution
Ivanti and SentinelOne will integrate their technologies Ivanti Neurons for Patch Management and SentinelOne's Singularity XDR platform.
Story image
Phishing
Norton research finds NZ threat landscape diversifying on social media
Norton's quarterly report has highlighted the seriousness of the threat landscape in New Zealand.
Story image
SaaS
Claroty launches new cloud-based industrial cybersecurity platform
The company says Claroty xDome is the industry's first solution to deliver the ease and scalability of SaaS without compromising on visibility, protection, and monitoring controls.
Story image
Firewall
Fortinet unveils compact firewall for hyperscale data centres, 5G networks
"Fortinet’s dedication to pushing the boundaries of what is possible in security performance has yielded the most powerful compact firewall yet."
Story image
ExtraHop
Organisations exposing highly sensitive protocols to public internet
More than 60% of organisations expose remote control protocol SSH to the public internet, while 36% of organisations expose the insecure FTP protocol.
Story image
Rubrik
Gartner names Rubrik Leader in 2022 Magic Quadrant
Rubrik has been positioned by Gartner as a Leader in the 2022 Magic Quadrant for Enterprise Backup and Recovery Software Solutions.
Story image
Indusface
Why enhancing bot protection for web and API endpoints matters
The trouble with bots is that they aren’t all bad. Unfortunately, this can make it challenging to detect malicious bots that find their way into your system and threaten your business.
Story image
Data Protection
CyberRes partners with Google Cloud in lead up to BigQuery release
CyberRes, a Micro Focus line of business, has announced a partnership with Google Cloud to support the upcoming release of BigQuery remote functions.
Story image
Web application firewall
Radware recognised in KuppingerCole’s 2022 Leadership Compass report
Radware has been named a Product, Innovation, Market and Overall Leader in the 2022 KuppingerCole Leadership Compass report for Web Application Firewalls.
Story image
Cybersecurity
Palo Alto Networks responds to rise in threats with MDR service
Unit 42 Managed Detection and Response is a new service that can offer continuous 24/7 threat detection, investigation and response.
Story image
Neat
Workplace design a crucial factor for better employee experience - report
The key to a successful workplace could be its design, according to research from Ecosystm and Neat.
Story image
Artificial Intelligence
Exclusive: NZ-based DEFEND offers global cyber protection
DEFEND supports customers in 66 countries across the globe with a relentless focus on ensuring that every dollar spent on security provides a meaningful return on investment and reduces cyber risk.
Story image
Dicker Data
Dicker Data brought on as Acronis partner for A/NZ
The news about the partnership comes in as cyber criminals continue to exploit gaps in traditional solutions and strategies in NZ and across the APAC region.
Story image
Gartner
Veeam named Leader in enterprise backup and recovery
"We believe our innovation and ability to execute validates our solid standing as the #1 trusted provider of modern data protection."
Story image
Machine learning
Sysdig releases CDR offering to combat cryptojacking
Sysdig has unveiled a cloud detection and response (CDR) offering powered by machine learning to combat cryptojacking.
Story image
Data Protection
VMware introduces advanced workload protection for AWS
VMware Carbon Black Workload for AWS delivers comprehensive visibility and security across on-premises and cloud environments for AWS customers.
Story image
Dark web
Beware the darkverse and its cyber-physical threats
A darkverse of criminality hidden from law enforcement could quickly evolve to fuel a new industry of metaverse-related cybercrime.
AWS Marketplace
Learn how security orchestration, automation, and response (SOAR) enhances your security strategy.
Link image
Story image
Malware
Research shows attacks on the gaming industry are getting worse
Web application attacks in the gaming sector have grown by 167% from Q1 2021 to Q1 2022, according to new research from Akamai.
Story image
Privileged Access Management / PAM
The importance of stopping identity sprawl for cybersecurity
The 2021 Data Breach Investigations Report (DBIR) shows that 61% of all breaches involve malicious actors gaining unauthorised, privileged access to data by using a compromised credential. Unfortunately, it is often too late when the misuse of a credential is detected.
Story image
Sustainability
NZ program recovers and recycles more than 177 tonnes of e-waste
The TechCollect NZ pilot program says its milestone of recovering and recycling more than 177 tonnes of ICT e-waste recognises the efforts of many.