How to Develop a Healthy Cybersecurity Culture with Empathy and Empowerment
By George Finney, Instructor of the ProThink Learning Course Cybersecurity Habits Every Employee Should Master
“If you had bought our product, you would have been safe. So, now would be a really good time to buy our product.” This is a common refrain in cybersecurity: Vendors use fear to sell products, and security leaders use fear to get money to buy those same products.
Reliable, effective cybersecurity in your organization takes more than just delegating a security strategy to an information officer. Instead, it requires building a whole culture that teaches and strengthens good security habits. When an organization values empathy and empowerment, where employees take responsibility for their own results, and where innovation is fostered, the company has a greater chance of succeeding at any goal, including cybersecurity. If your organization’s culture fails to address or encourages fear around cybersecurity, here’s how you can create a more hopeful and healthy culture for your organization.
Begin With Your Most Valuable Resource — Your Employees
If employees feel like they’re just following orders, their security muscles get tired much faster. If they feel like what they’re doing doesn’t matter or that they can’t make a difference, it takes significant amounts of organizational effort to do the same tasks. Creating a culture that moves beyond incentives and instead gives employees purpose is what will make the biggest difference in your cybersecurity program.
This shift requires employees to be empowered to make decisions of consequence. To do this, you need to make sure that you are giving all employees, not just cybersecurity professionals, the tools to make timely and relevant decisions. This process empowers employees by giving them roles to play and requires leadership to acknowledge that employees have the authority to make decisions. Here are some ways you can deputize your staff:
· Ask for help. Encourage employees to report potential security issues and offer suggestions for improving safety practices. Providing a channel for people to share on these topics can be a great invitation for collaboration.
· Develop an internal security advisory council. Make this team an active and contributing party of your security governance by empowering them to create organization-wide security risk registers and prioritize risks to manage.
· Create a cybersecurity newsletter. Having a place to share real stories about how cybercriminals have affected real customers and employees will help create a human connection to security.
· Conduct regular breach drills. By allowing everyone in the company to participate, employee awareness regarding your procedures will increase. Assign departmental captains to help organize and track progress.
· Establish an award program. Recognizing all employees, not just your IT team, for their contributions to cybersecurity will incentivize everyone to participant in safe practices and learn your procedures. Recognition could occur through shout-out email lists or MVPs in your cybersecurity newsletter.
Create an Environment of Hope and Empathy
Learned helplessness is the phenomenon in which people adopt a sense of powerlessness because they believe that there is little they can do to change their circumstances. This attitude usually comes about as a result of a traumatic event, repeated discouragement, or even stress. People can easily fall victim to learned helplessness when they are inside large organizations due to bureaucracy, politics, and other pressures inherent in large organizations. But the good news is that this learned helplessness can be reversed through support and empowerment.
If your organization’s attitude toward cybersecurity is defined by fear, blaming people for cybersecurity woes, or emphasizing speed over caution, many of your employees may be experiencing learned helplessness when it comes to cybersecurity. With some of the following activities, you can shift your organization’s culture to one of empathy and support, making individuals more likely to unlearn their helplessness.
· Stakeholder Meetings: Allowing your security staff to lead meetings with the top 50 stakeholders creates an opportunity to establish expectations around cybersecurity and build partnerships, while also establishing a better understanding of the organization’s existing culture.
· Employee Orientation: Require all new hires to meet with your cybersecurity personnel. This will move security to the foreground of their priorities and set the expectation that the organization cares about security.
· Kaizen Days: Adopted from Toyota’s kaizen approach of continuous improvement, establish days where employees are asked to focus on improving processes, including cybersecurity activities.
· Competitions: Gamify security to create a strong motivation for change. An example includes creating a contest for who can identify the most phishing emails.
· Baked-In Security: Security team members should be added by default to every project so they can act as consultants and partners rather than obstacles to meeting later objectives. Don’t let security become an afterthought where it is “bolted on” after a product is designed or a project is complete.
· The Security Minute: Set aside the first minute of every meeting to reinforce the importance of cybersecurity. This will help keep security at the top of the mind and shift your culture toward security.
· Spring-Cleaning Events: Paper and digital litter accumulates over time, and data can become a liability when its useful life cycle is ended. Schedule annual cleanouts to provide a time for employees to destroy old documents while also reinforcing the expectation that employees should be deleting data when it’s no longer needed.
Moving From Theory to Practice
While some of these strategies, with the addition of cybersecurity training programs, might do a great job informing employees about risks, your employees might still have difficulty integrating the practices they learn into their daily lives. For basic routines to become habitual, we must regularly remind ourselves to perform them. But many cybersecurity routines, like updating your phone, are only performed a few times a year, so it’s sometimes difficult to build these habits. Cybersecurity skills are like muscles and require regular conditioning to keep them strong.
One way to encourage the development of these habits in your employees is through random acts of security. Challenge employees to perform one intentional action each day, at random, that makes their environment more secure, at home, at work, or in the community. It’s important that they identify the action they will perform before doing it instead of just noting the act afterward. This intentionality will make the action more impactful and impressionable. Furthermore, the actions must be different enough each day to be more effective at cementing the long-term impacts.
At the end of your security training, challenge employees to perform one security act each day, such as:
· Confronting someone “tailgating” through a secured door without using their card access.
· Instead of clicking on a link, going directly to the website or calling the sender to ensure the message is really from them.
· Establishing a clean desk policy by removing papers from your desk before you leave at the end of the day.
· Introducing the security minute at the beginning of a meeting.
Cybersecurity is More Than Just Strategy
Cybersecurity is only one facet of an organization’s overall culture, and it must be considered part of a larger whole before it can change. Practicing the strategies outlined above to create a culture of empowerment and empathy will help your employees develop a security mindset and give people the chance to believe they can make a difference. And, given the chance, they will. Once you begin to establish a strong cybersecurity culture, different people inside your organization will begin to take more active roles in performing security routines.
