How can CISOs make cybersecurity positive, productive, and inclusive, and maintain best practices across the enterprise?
Do your employees feel valued and important in their roles? More than 65 percent of employees say they don’t feel recognized at work, and 31 percent say they are “committed but feel that my company could do more to improve the employee experience”. How can CISOs (who are already busy fighting fires, cloning themselves, and juggling plates) empower their security staff to be productive and empower the entire business while maintaining strict security standards?
Are employee autonomy and cybersecurity mutually exclusive?
Autonomy in the workplace promotes a more efficient and inspired corporate culture, but autonomy and IT security traditionally do not go hand in hand. Individual responsibility that supports the broader team does. Finding a person’s specialization and asking them as an “expert” to stand up and report on a single item to support their peers within the broader IT security role is a great way to show confidence and the specific Value they bring to recognize and respect the organization.
Initially, this is done by a team leader while a team member is still working within (and reporting to) the support network of the entire security team. Not only does this give the individual responsibility, it also gives them a specialization (or two) (or two) – selected jointly at the last employee review – and a position of responsibility within the organization while being supported by their peers. For example, members of the security team could be responsible for patching, physical installation, user access controls, working with IT staff to create a common business continuity / disaster recovery plan, emerging threats, working with HR to train (and report on) company employees about Phishing attacks and suspicious activity, security scans, or any of the hundreds of other areas that busy security teams have to deal with. It is not only great when the individual can contribute his or her strengths and interests, but individual responsibility for tasks contributes to communicating a clear vision and demonstrating trust. Reporting at regular team meetings gives people a chance to communicate, shine, and / or ask for help.
Effective communication promotes productivity
One of the most cited complaints from employees in any role is lack of communication. This also includes individual leadership and the one-to-one reaction – and by the nature of communication that means listening to the concerns of employees and verbally acknowledging / appreciating their efforts (public and private).
This also includes accessibility. A closed door doesn’t help with communication. Leave your office door open and make it known. This may seem trivial, but it is one of the biggest barriers and complaints from employees regarding easy communication. People should be able to easily access management and expert opinions and feel that their opinions and ideas are welcome. Employees should know that they should never be afraid to ask questions. Be on Slack, WhatsApp, Teams, or whatever your team uses – and be available.
Stand-up meetings are always good for clarity and better access to knowledge. Standups are traditionally a part of the Scrum methodology, but can also be used to promote communication. Briefly and simply, usually once a day for 15 minutes, these daily morning meetings answer three simple questions: What did you do yesterday? What are you going to do today? Is something blocking your progress? Every employee has the opportunity to talk and everyone gets an insight into the activities of the team – that is, they can contribute after the meeting and provide ideas and support if necessary. Also, based on the previous day’s results, you can ask if today’s plans need to be changed or adjusted accordingly – which provides greater flexibility and responsiveness. Standups give employees a voice and offer teammates the opportunity to help each other by reacting to problems and removing blockages and obstacles.
Last but not least, you want to say thank you, consciously or unconsciously. A simple “good job”, “well done” or “thank you” goes a long way. Never forget how you felt when you got up. Whether it’s an idea to improve network accessibility or a well-processed report, let your reps know when they are doing a good job. We do it for the money, but we stay out of respect and a sense of ownership. It is rare for people who are valued to later become a willing insider threat or security risk.
Invest in the team and the tools they use
Good equipment and investments in software are important for IT security teams. Using human power as a substitute for investment can rightly be viewed as a lack of support from security teams. If teams are going through thousands of false positives every morning, or don’t have time to do other important tasks because they’re playing security whack-a-mole, what could that say about how your company values and supports the cybersecurity team? IT security personnel are in great demand and KNOW their value in today’s security climate. Investing in cybersecurity tools that save time and money also gives team members the opportunity to be more proactive in other areas, such as threat modeling, red team exercises that encourage teamwork and security knowledge, or act as champions.
Make the cybersecurity policy a part of the HR department
When someone joins your company, regardless of department or experience, they should take cybersecurity awareness training. Ideally, this should be managed personally by your company’s IT security department rather than using online courses or a collection of videos. The personal touch MAKES it personal and reaffirms the importance of cybersecurity by allowing the user to be part of the conversation, ask questions and actively participate. Personal, ideally one-to-one training, is part of their conscious thinking and memory long after they have forgotten one of the many training videos or emails they had to consume during the briefing.
Annual simulated phishing drills, password security training, and security best practice refresher should be standard training in each department. Staying clear and relatable ensures a clearer understanding and promotes inclusion.
Teaching within the IT security department itself should be more proactive and at a higher technical level. Consider lunchtime lectures with your specialists and technical champions (people usually split their time in exchange for knowledge and free pizza). A short talk on the importance of defending against zero-day exploits and using third-party code in an informal lunch setting with free Pepperoni Passion creates team loyalty and sweetens the learning experience. This also gives your specialists a chance to shine, allows others to find out about the topic and its value, and for Q & As. Team leaders should be present themselves and show interest. There is also a very good chance that HR will pay the bill for this as they usually have an assignment for such things.
Turn mistakes into teaching moments
It is worth remembering that the purpose of employee empowerment is to give employees the confidence to take controlled risks and make their own decisions, including accepting that mistakes will sometimes be made. There’s no point in getting inappropriately upset or blaming yourself about it, it’s part of the process and employees don’t need to be ripped off if things don’t go according to plan – they need support and policies and practices need to be developed there, where weaknesses are revealed.
Cybersecurity is notoriously busy and often reactive, and while there are time-saving and preventative cybersecurity tools out there to help, it is possible to empower our IT security staff to be productive and empower the entire company. As managers, we can make people feel valued and important in their role by using an open approach and the resources available, while increasing and maintaining safety standards at the same time.
How to Empower Employees to be Secure and Productive first appeared on the blog.
*** This is a syndicated blog from the Security Bloggers Network of Blog, written by Nik Hewitt. Read the original article at: https://www.imperva.com/blog/how-to-empower-employees-to-be-secure-and-productive/