How to Empower Employees to be Secure and Productive

How can CISOs make cybersecurity positive, productive, inclusive, and maintain best practices across the enterprise?

—

Do your staff feel valued and important in their roles? More than 65 percent of employees report they do not feel recognized at work, and 31 percent say they’re “engaged but feel my company could do more to improve the employee experience.” How can CISOs (who are already busy fighting fires, cloning themselves, and plate juggling) empower their security staff to be productive and empower the wider company while maintaining stringent security standards?

Are employee autonomy and cybersecurity mutually exclusive?

Autonomy in the workplace fosters a more efficient and inspired company culture, however, autonomy and IT security don’t traditionally go hand in hand. Individual responsibility, supporting the wider team, does. Finding a person’s specialisms and asking them, as the “expert”, to champion and report on a single element to support their peers within the wider IT security function, is a great way to show confidence and acknowledge and respect the specific value they bring to the organization.

Initially, a team leader does this while a team member is still working within (and reporting to) the support network of the overall security team. Not only does this give individuals responsibility, but it also gives them a specialism (or two) – mutually chosen during their most recent staff appraisal – and a position of responsibility within the organization, while having the support of their peers. Security team members could, for example, be responsible for (and report on) patching, physical installation, user access controls, working with IT ops to build a shared business continuity/disaster recovery plan, new threats, championing work with HR to educate other company employees on phishing attacks and suspicious activity, security auditing, or one of the hundreds of other areas that busy security teams need to address. Not only is this great for individuals to be able to use their strengths, and interests, but individual task responsibility helps to communicate a clear vision and demonstrates trust. Reporting at regular team meetings gives people a chance to communicate, shine, and/or a chance to ask for help.

Effective communication drives productivity

One of the most often cited complaints from staff in any function is a lack of communication. Part of this is individual management and one-to-one response – and by the nature of communication that means listening to staff concerns and verbally acknowledging/appreciating their efforts (publicly and privately).

A part of this is also accessibility. A closed-door is no help to communication. Leave your office door open and make it known. This may seem trite, but it’s one of the biggest barriers and biggest complaints of staff with regards to ease of communication. People should be able to access management and expert opinion with minimum fuss, and feeling as though their opinions and ideas are welcome. Staff should know they should never be afraid to ask. Be on Slack, WhatsApp, Teams, or whatever your team uses – and be available.

Standup meetings are always great for clarity and improving access to knowledge. Standups are traditionally a part of Scrum methodology but can also be used to promote communication. Short and simple, usually once a day for 15 minutes, these daily morning get-togethers answer three simple questions: What did you do yesterday? What will you do today? Is anything blocking your progress? Each staff member gets a chance to talk, and everyone gets insight into the team’s activity – meaning they can pitch in and provide ideas and support after the meeting if needed. Also, based on the previous day’s results, you get to ask if today’s plans need to be changed or altered accordingly – affording better flexibility and response. Standups let staff be heard, as well as offering teammates the chance to help each other by reacting to problems and removing blocks and impediments.

Last but not least, consciously or subconsciously, people like to be thanked. A simple “Good work”, “Well done” or “Thank you” goes a long way. Never forget how you felt coming up. Whether it was an idea that improved network accessibility or a well-handled report, let your employees know when they are doing a good job. We do it for the money, but we stay for the respect and feeling of ownership. It’s rare that people who are appreciated become a willing insider threat or a security risk further down the line.

Invest in the team and the tools they use

Having good equipment and investing in software is important to IT security teams. Using people-power as a substitute for investment can be seen, rightly or not, as a lack of security team backing. If teams have to wade through thousands of false positives every morning, or don’t have time to do other important work due to playing security-whack-a-mole, what could that say about how your company values and supports the cybersecurity team? IT security personnel are highly sought after and KNOW their value in today’s security climate. Investing in cybersecurity tools that save time and money will also free up team members to be more proactive in other areas, such as threat modeling, red team exercises that promote teamwork and raise security knowledge, or acting as champions.

Make cybersecurity policy a part of HR

When someone joins your company they should, regardless of department or experience, undergo cybersecurity awareness training. Ideally, this should be led by the IT security part of your company, in person, as opposed to using online courses or a collection of videos. The personal touch MAKES it personal and reaffirms the importance of cybersecurity, giving the user a chance to be a part of the conversation, to ask questions, and to take an active part. Personal, ideally one-to-one training, will be part of their conscious thinking and memory long after they’ve forgotten one of the many training videos or emails they had to consume during their induction.

Yearly simulated phishing exercises, password security training, and security best practices refreshers should be a standard training policy across every department. Keeping it unambiguous and relatable makes for a clearer understanding and promotes inclusion.

Teaching within the IT security department itself should be more proactive and of a higher technical standard. Using your specialists and technical champions, consider lunchtime lectures (people will usually share their time in exchange for knowledge and free pizza). A short talk on the importance of the mitigation of zero-day exploits and the use of third-party code, in an informal lunchtime setting with complimentary Pepperoni Passion, makes for team bonding and sweetens the learning experience. This also gives your specialists a chance to shine, allows others to learn about the topic and its value, and for Q&As. Team leaders should be present themselves and take an interest. There’s also a very good chance that HR will foot the bill for this one as they usually have an allocation for such things.

Turn mistakes into teaching moments

It’s worth remembering that the purpose of employee empowerment is to let people feel confident enough to take controlled risks and to make their own decisions, which includes accepting that sometimes mistakes will be made. There’s no point being unduly upset or recriminatory about this, this is a part of the process, and employees don’t need to be dragged over the coals if things don’t go to plan – they need to be supported, and policies and practices need to be developed where weaknesses are exposed.

—

Cybersecurity is notoriously busy and often reactive, and while there are time-saving and preventative cybersecurity tools that will help, it is possible to empower our IT security staff to be productive and empower the wider company. As managers, we can make people feel valued and important in their roles, using an open approach and the resources at hand while boosting and preserving security standards.