For decades, security awareness programs focused on the human element of security, but from a negative perspective.
We learned early on as security professionals that the weakest link in our security program is the human we’ve been trying to protect. Our security awareness training focused on changing negative behaviours of our employees to reduce the impacts caused by them clicking on links, propping open doors, or inadvertently providing sensitive information to competitors or criminals.
We targeted the issues we all had to deal with — the employee who continually forgot their badge, or the executive who kept clicking on links embedded within our phishing campaigns.
Consequence and punishment followed — ranging from extra courses from our cybersecurity team right up to suspension and even dismissal for continually disobeying the “security rules.” Throughout my career I’ve been fascinated by security’s response to the people we’re trying to protect and to what lengths we go to ensure they’re doing “the right thing” to keep our organizations safe.
In so many cases, though, we missed the mark. We’d send out brochures, stickers, stress-relieving squeeze balls or security-themed mouse pads, all with our department mantra and messages. Desperately trying to convince our employees to think before they click, assess your surroundings before you open a door, or challenge someone (albeit politely) if you see they don’t have a badge.
What if we looked at our biggest “problem” as part of the solution? What if security professionals start from a different place — one of respect and acknowledgement? What if we took a part of the ESRM (Enterprise Security Risk Management) philosophy, truly engaged our employees, and asked them to join the security team in creating a more resilient organization?
There is a cultural change that is challenging security professionals to look at our employees as advocates for the security program. This approach asks security professionals to see their employees as the greatest strength of the corporate security program — empowering every employee to actively look for risks, report them to the security team and become ambassadors for the security program! This is a paradigm shift from our current perspective, but one we really should assess for our own organizations.
What if we changed our perspective and looked at our employees as an extension of the security team? Concepts like Human Risk Management and recent research conducted on the human element of security are taking hold in organizations, with measured success. The concepts seem straightforward — create an environment where every employee in an enterprise receives the right training and executive support to help champion the security program without fear.
If this looks so easy, why isn’t every company following this approach? First, we must move from the negative headspace of employees being “the weakest link” to becoming security program ambassadors. The organization must empower all employees to report risks they identify and even help develop mitigation strategies in collaboration with the security team. This approach is a supplement to ESRM and creates greater engagement while reinforcing the concept of Design Thinking.
We’d train our employees to look at a situation through our eyes, and then report their observations to the security team. The process takes more time, support and training — but the rewards can far outweigh the initial costs. Employees become fully engaged with the security program!
How successful would our security programs be if employees became true partners, not only taking our security training and following our policies and standards, but also evangelizing them? What if we relied as much on our employees as our technology? I’d sure like to find out!
Tim McCreight is the national director, market development and strategic advisory at CGI (www.cgi.com)
Print this page