How can CISOs make cybersecurity positive, productive, inclusive, and maintain best practices across the enterprise?
Do your staff feel valued and important in their role? More … than 65 percent of employees say they don’t feel recognized at work, and 31% say they are “engaged but think my company could do more to improve the employee experience. ” How can RSSI (who are already busy fighting fires, cloning themselves, and juggling plates) enable their security staff to be productive and hold the entire company accountable while maintaining high security standards?
Are employee autonomy and cybersecurity mutually exclusive?
Autonomy in the workplace fosters a more efficient and inspired corporate culture, however, autonomy and IT security do not traditionally go hand in hand. Individual responsibility, by supporting the team at large, does it. Finding a person’s specialties and asking them, as an ‘expert’, to champion and account for a single element to support their peers within the larger IT security function, is a great way to show confidence and recognize and respect the specific value it brings to the organization.
Initially, a team leader does this while a team member is still working within (and reporting to) the global security team’s support network. Not only does this empower individuals, but it also gives them a specialization (or two) – mutually chosen during their last staff appraisal – and a position of responsibility within the organization, while having the support of their peers. Security team members could, for example, be responsible for (and accountable for) patches, physical installation, user access controls, working with IT operations to create a business continuity plan shared activity / disaster recovery, new threats, promote work with HR to educate other company employees about phishing attacks and suspicious activity, security audits or any of the hundreds of others areas that busy security teams need to address. Not only is it great for individuals to be able to use their strengths and interests, but individual responsibility for tasks helps communicate a clear vision and demonstrates confidence. Reports at regular team meetings give people a chance to communicate, shine, and / or a chance to ask for help.
Effective communication boosts productivity
One of the complaints most often cited by staff in any function is lack of communication. Part of this is individual management and individual response – and by the nature of communication which means listening to staff concerns and verbally acknowledging / appreciating their efforts (in public and private).
Part of that is accessibility as well. A closed door does not help communication. Leave your office door open and let people know. It might sound trite, but this is one of the biggest hurdles and one of the biggest complaints from staff when it comes to ease of communication. People should be able to access the advice of management and experts with a minimum of fuss, and feel that their opinions and ideas are welcome. Staff should know that they should never be afraid to ask. Be on Slack, WhatsApp, Teams, or whatever your team uses – and be available.
Standing meetings are always great for clarity and improving access to knowledge. Stand-ups are traditionally part of Scrum methodology but can also be used to promote communication. Short and simple, usually once a day for 15 minutes, these daily morning meetings answer three simple questions: What did you do yesterday? What are you going to do today? Something blocking your progress? Each staff member has the opportunity to speak and everyone gets an overview of the team’s activity, meaning they can provide input and provide post-meeting ideas and support as needed. In addition, based on the results of the day before, you can ask if today’s plans need to be changed or changed accordingly, which provides better flexibility and response. Standups allow staff to have their voices heard, while giving teammates the ability to help each other by responding to issues and removing blockages and obstacles.
Finally, consciously or unconsciously, people like to be thanked. A simple “Good job”, “Well done” or “Thank you” goes a long way. Never forget how you felt when you arrived. Whether it’s an idea to improve network accessibility or a well-managed report, let your employees know when they’re doing a good job. We do it for the money, but we stay for the respect and the feeling of belonging. It is rare for loved ones to become a willful insider threat or security risk later on.
Invest in the team and the tools they use
Having the right equipment and investing in software is important for IT security teams. Using the power of people as a substitute for investment can be viewed, rightly or wrongly, as a lack of support from the security team. If teams have to cross thousands of false positives every morning, or if you don’t have time to do other important security work, what could this say about how your business values and supports the cybersecurity team? IT security personnel are in high demand and KNOW their value in today’s security environment. Investing in cybersecurity tools that save time and money will also allow team members to be more proactive in other areas, such as threat modeling, red team exercises that promote teamwork and increase safety knowledge, or act as champions.
Integrate the cybersecurity policy into HR
When someone joins your company, regardless of their department or background, they should take cybersecurity awareness training. Ideally, this should be led by the IT security end of your business, in person, rather than using online courses or a collection of videos. The personal touch MAKES everything personal and reaffirms the importance of cybersecurity, giving the user the ability to join in the conversation, ask questions and take an active part. Personal training, ideally one-on-one, will be a part of their conscious thinking and memory long after they have forgotten one of the many training videos or emails they must have consumed during their onboarding. .
Annual phishing simulation exercises, password security training and good security practice reminders should be a standard training policy in every department. Keeping it unambiguous and relevant allows for clearer understanding and promotes inclusion.
Teaching within the IT security department itself should be more proactive and of a higher technical standard. Using your specialists and technical champions, consider lunchtime lectures (people will typically share their time in exchange for knowledge and a free pizza). A short talk on the importance of mitigating zero-day exploits and the use of third-party code, in an informal lunchtime setting with free Pepperoni Passion, builds team bonds and sweetens the learning experience. It also gives your specialists a chance to shine, allows others to learn more about the topic and its value, and for questions and answers. Team leaders must be present and take an interest in it. There is also a very good chance that HR will foot the bill for this one as they usually have an allowance for such things.
Turn mistakes into teaching moments
It should be remembered that the purpose of employee empowerment is to make people feel confident enough to take controlled risks and make their own decisions, which includes accepting that sometimes mistakes are made. There’s no point in being unduly upset or complaining about it, it’s part of the process, and employees don’t need to be dragged across the coals if things don’t go as planned – they need to be. supported, and policies and practices need to be developed where weaknesses are exposed.
Cyber security is notoriously busy and often reactive, and although there is cybersecurity tools to save time and prevent this will help, it is possible to empower our IT security staff to be productive and to hold the whole company accountable. As managers, we can make people feel valued and important in their roles, using an open approach and available resources while strengthening and maintaining safety standards.
The post office How to empower employees to be safe and productive appeared first on Blog.
*** This is a Syndicated Security Bloggers Network blog by Blog written by Nik Hewitt. Read the original post on: https://www.imperva.com/blog/how-to-empower-employees-to-be-secure-and-productive/