Showing results for 
Search instead for 
Did you mean: 
Create Post

Making Every Agency Employee a Security Advocate

Level 13

By Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering

Here’s an interesting article by my colleague Jim Hansen with ideas for engaging agency staff to be part of the solution to security challenges. Insider threats have been a leading cause of breaches for as long as I can remember, and I like Jim’s approach of making everyone a security advocate.

The rising numbers of data breaches should come as no surprise to federal IT security pros who work every day to ensure agency information is secure. However, these breaches may not be something a federal IT team can prevent on its own.

According to the most recent SolarWinds Federal Cybersecurity Survey, more than 50% of respondents say careless or untrained users are the leading cause of data breaches across the federal government. Spam, malware, and social engineering are far and away the greatest threats; oftentimes end users unknowingly take actions that go against agency security policy or harm the network.

Three Steps to Stronger Security

While technology is generally the most solid defense against security threats, federal IT security pros should also take the following steps to improve agency security.

1. Start from the top. In any organization, leadership sets the tone. If all agency heads become security advocates, it will send a clear message on prioritizing security initiatives. Consider hosting a town-hall type meeting, or a “lunch and learn,” where leaders explain what’s at stake to encourage employees to take a more personal approach to security. Leadership can explain what they do to protect agency data while discussing the importance of agency policies and enforcement.

2. Provide solid user education. Security breach statistics consistently show that most attacks originate inside the organization, stemming from things like an employee falling victim to a phishing scheme or simple end-user errors that leave them, their identities, and their systems exposed. Provide simple, easy-to-follow education, direction, and training. Educate staffers on the implications of not following the training in a way specific to the agency. Give examples of the types of things to look for in phishing or socially engineered attacks. Flag security vulnerabilities that could be exacerbated by end-user activities, such as using agency email on a smartphone OS that requires a security patch or accessing a social media profile with a password that may have been part of a larger breach. The more the end user knows, the better.

3. Ensure security policies are fluid. Security threats change every day; policies that stay the same year after year are inherently outdated. Reassess policies every six to nine months to ensure the policies align with the changing threat landscape and risks to the agency so they’re as effective as possible. To encourage more end-user advocacy, establish two different security policies: one for the IT and security team, and one specifically for staff. And, be sure to update both often. This not only shows end-users the agency’s level of commitment, it will provide an opportunity for ongoing and continued education.

Remember, to enhance the agency’s security posture, security initiatives must be a priority for everyone—not just the IT team. More education and more participation will often lead to enhanced end-user engagement, and that’s the ultimate goal.

Find the full article on our partner DLT’s blog Technically Speaking.

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.

Level 14

Thanks for the article.  I am afraid that some departments require mandatory education that turns people off from being enthusiastic about this training. 

Level 20

These days it's an annual thing... tons of training and forms that need to be approved and submitted.

Level 12

Thanks for the article. I've participated in these trainings. Mostly annual mandatory CBTs. Many times it has felt like leadership is more concerned about compliance, that everyone has shown they have taken the training, than actually creating a environment where security is a central focus.

Level 12

Nice article. I have long believed that the type of person who will open any email attachment because they're curious, or play "games" that instruct users to provide their email addresses and much of the information that many people base passwords on, needs to be trained about security. And if they refuse to take security seriously, they need to be terminated.

Unfortunately management doesn't agree with this position. I have no doubt that a major reason why they don't agree is because some of the biggest security offenders are in management.

I like your philosophy.  EVERY agency and person and organization participating with anything financial or online or having to do with health or safety or manufacture or electricity or water . . .

They ALL need better security training and better scrutiny and review.


Thanks for the article.

Level 11

Sadly a lot of the time this becomes a tick box exercise.  Until the higher echelons of the organisation realise they're the weak link in the security chain, then nothing will change.

Level 16

Quite awhile back when PCI was just beginning to be pushed throughout IT I worked at a retailer that did the majority of their business with credit/debit cards. Initially it was Internal Audit pushing to make everything compliant, long before IT Security got on board with it.

Our VP of IT reported to the SVP of Finance and Legal. There was quite a bit of push back and attitudes from the IT Staff while working with the Auditors.

During one of our IT all staffs the VP of IT did a presentation on PCI, what it was, how we were audited internally then externally and what the external auditors reported back basically came back something similar to a credit score. Based on that score our rate was determined on how

many percent the banks would charge to allow us to continue to process debit/credit cards. If you had a bad score they might bump you up another 1/4 percent if you were a risk.

Then he shared some yearly sales figures and showed what 1/4 percent of those equated to. It was an eye opener to a lot of people.

He then basically said it was too expensive to continue to employ people that couldn't/wouldn't work with the Auditors. I think everyone got the message.

Level 13




Wish we would follow this.


Level 15

We have found that annual training, followed by quarterly "tests", and enhance new employee training has been beneficial in moving our awareness marks up.  Thanks for the posting.

Level 14

Good article.  We have an annual CBT with an exam for everyone (staff and agency).  It is compulsory and the top level management enforce it.  No excuses.  I sit next to the IT Security Manager who did my job (SysAdmin) before I took over when he moved roles so he understands how the systems work.  I think we make a good team.  We now have ISO27001 and take it very seriously.  We have just passed an external audit.  We have several systems in place to monitor system access and block users trying to do stupid stuff.  Now just have to deal with a user who is insisting we install WeChat on her corporate laptop.  D'Oh.

Level 13

Thanks for the article

Level 13

Good post.  Thanks.  This is so true - keep hoping this will actually happen but sadly it hasn't yet.

Level 9

Good article and lays out some good practices in theory.

Issue is always getting buy-in...


This has been going on in the private sector for years now.

We get monthly phishing test emails...some are crafted quite well.

If you fail to report them and click on the link you get notified by cybersecurity after 2 or more.

Continued failures by blindly clicking on the links may get you counseled or put on a corrective action track.

So this is not a new thing, it just appears that the Federal side is slower to adopt practices of this sort than the private sector side.

Level 11

I see a lot of "blaming the victim" here. I have been in the PC industry since it came into existance and the end user is the only thing unchanged.  If someone leaves their keys in their car and it's stolen.  it's the car thief who's at fault not the owner.

Level 11

Thanks for the article.

Level 11

Security is only as good as the weakest link.  Sadly the weakest link is usually the person at the top of the organisation who isn't IT savvy so everything has to be designed around them 😕