Extending the GSOC's reach with an employee hotline app for security.

Security leaders are underserved by ethics hotlines, generic email addresses and internal telephone extensions as a means for employees to speak up about workplace violence, theft, harassment and cyber hygiene. Increasing workforce engagement by implementing a security-focused mobile hotline can improve effectiveness and reduce long-term costs.

Why do Incident Reporting and Case Management tools focus on intake from a security guard or analyst when the vast majority of security issues are observed earlier and in more detail by the general workforce?

As a 20+ year veteran of security and investigations, I have been on the receiving end of many leads from sources outside of my department, many from Ethics and Compliance hotlines. Regrettably, the idea of spending on security hotlines has gone by the wayside, nudged into discussion only slightly by the increased focus on insider threats ranging from workplace violence to protection of classified or proprietary information. The results is that most companies have a security hotline that is implemented on the cheap, without much thought given to how a properly implemented hotline can improve effectiveness of the security team and help contain overall costs.

Think about your average workplace - a medium-sized business might have a 2-3 security guards and/or cyber security analysts on site during the workday. At the same time, there may be a 1000 pairs of eyes and ears spread across your building(s) in the form of staff and contractors. Rather than provide a venue for them to speak up about theft, harassment, cyber hygiene or other issues THEY might well believe are best reported to Security, many security managers instead leave in place inadvertent roadblocks to reporting on Security matter that don't exist with today's leading Ethics hotlines. (I am thinking here of those generic email address, internal department phone extensions, even paper forms.)

These are not a best practice for Ethics hotlines, nor should they be for Security hotlines.

How do you justify the spend? Consider the average cost of security guard, who has one set of eyes and ears, perhaps augmented by a small bank of cameras, PSIM or SIEM that extend their reach into the digital. Now think about the staff that occupies every corner and nook in the building, knows what is out of place in both the physical and virtual domain and observes actions and conversations that could be considered bullying, harassment or indicative of insider threats. Consider also that with rare exception, each of these staff members wants to occupy a safe, secure workplace of integrity. Why not make it easier for them to share their concern in a meaningful, timely fashion? After all, most often, investigations into costly and/or grievous incidents almost always reveal that certain "non-technical observables" could have mitigated or prevented the incidents...if only they had been shared in more timely, effective manner.

This not about deputizing the workforce, that would be a mistake. For many, "guarding" is not part of their makeup and it's not their job, and they don't have the proper training. What if, though, you could put a security professional in their hands, one that is expert, always available and who can guide them through a brief, meaningful (and if they want, anonymous) interaction that allows them to share their concern and get on with their day. Seems like a win to me...and sounds a lot like what ATM's did for banks and check-in kiosks did for airlines. Augmenting the productivity of key by empowering the individual.

As budgeting season kicks into gear you are no doubt reviewing the effectiveness of your security team and the significant costs of finding and training additional personnel. You are probably doing this while also reading headlines about the most recent workplace violence incident, breach or theft of intellectual property. Perhaps is also time to consider the gains to be made from better engaging your existing "workplace neighbors," many of which are all to happy to help if you are able to empower them with the why and the how.