Security Engagement in the Flow of Work

Travis Good
March 3, 2022

Where does work get done today? Whether it's remote, hybrid, or in person, work is done primarily in SaaS apps. Adding a record to your Hubspot CRM, creating and sharing a Google sheet, replying to a Zendesk support ticket, configuring a cloud service in the AWS dashboard, logging an internal issue in Atlassian Jira, creating a knowledge base doc in Notion, or communicating in Slack are all part of the new flow of work that is now almost 100% digital.

As we navigate these flows of work in SaaS apps, security and privacy is often not at the top of one's mind (for “privacy”, think maintaining PHI and HIPAA protections in Slack). Employees assume SaaS apps are secure and, for the most part, they are secure; but, the work employees do in these SaaS apps does have security and privacy implications, even if employees don’t realize them.

Employees need help to make better security decisions

We need to help employees make better security and privacy hygiene decisions by engaging them in the flow of work within the SaaS apps they use. There are hundreds of actions employees take each day in SaaS apps that have potential security and privacy implications. With new and expanding data regulations, the regulated data surface and landscape is everywhere, including 100% of SaaS apps.

Security and privacy engagement needs to be proactive. We can’t expect employees to access material that we simply make available, even when we embed links to the material in SaaS apps. We need to push the right content to the right person at the right time.

Remote work additionally complicates the security hygiene challenge for employees. Remote work gives employees more autonomy. This autonomy is manifested in SaaS app workflow that employees can now do from anywhere, usually on their phones or via computer. Just as people are more likely to make rash buying decisions because of the ease of ordering from Amazon’s apps, employees can more easily make rash decisions in SaaS apps that have security and privacy implications for your company.

Security Engagement in Slack

Finding and engaging employees when and where they work is the key to helping them make better security and privacy decisions. Effective engagement does not happen in a clunky LMS or web app and, with remote, it’s not in a physical classroom or in an all-hands meeting.

Enter Slack. Slack is a simple chat platform. But, it’s also so much more for today’s companies and employees. Slack is the operating system for modern work. Through integrations with SaaS apps, data, alerts, and even actions from the flow of work are fed into Slack. Standups and meetings are done in Slack. Games and icebreakers are done in Slack. Slack is the new HQ for companies that have anchored on it.

Slack is also the perfect platform to engage users on security and privacy. Slack is always accessible and doesn’t require a new login or UI. Messages are easy to make responsive to inputs from users. Slack is the ideal delivery and engagement mechanism for bite size, tailored teaching on security awareness and HIPAA.

Beyond Security Awareness in Slack

Security awareness, that status quo today, is reactive to external requirements, typically audit requirements. There is a theoretical reduction in human risk with security awareness but, for the most part, security awareness today is design to check the box for an audit.

Securing engagement in Slack goes beyond security awareness. Security engagement is proactive and meets the needs of users for relevant, timely, and useful learning content. This form of security awareness and HIPAA training checks the box for audits but it also has the potential to meaningfully reduce the risk to companies.