Building a security culture of “Yes”

Today’s columnist, Ryan Davis of NS1, says the TSA’s slogan of “see something, say something,” should become a mantra for all security organizations in today’s heightened threat environment. (Photo by Scott Olson/Getty Images)

In the face of constant threats, cybersecurity professionals are typically risk-averse when vetting employee requests and are known for implementing strict practices that can restrict workflows and efficiency. Faced with heavy workloads and short deadlines, most workers naturally want to take the path of least resistance. If checking in with security becomes complicated or time-consuming, employees will find a way to circumvent security protocols, which inevitably puts the organization at risk.

Addressing this challenge requires a shift in communication and engagement. Security teams must work to remove communication and reporting roadblocks, positively reinforce desired security outcomes and start at “yes” when evaluating new requests and projects. By implementing the following recommendations, security leaders can change corporate perception of security and build a more collaborative culture with their company’s workforce.

  • Communicate strategically to foster collaboration.

Encouraging a proactive partnership for companywide security should become a top priority for security leaders. This may require reframing communication as “security needs everyone’s help to succeed” rather than “security aims to stop workers from making mistakes.” It’s vital to emphasize that security doesn’t want to slow down or overcomplicate anyone’s jobs. Security aims to protect the business and its employees — since everyone wants the business to succeed.

The theme of working together organically should extend to mandated security training. Rather than lengthy annual training sessions that disrupt the workday, consider offering short sessions at more frequent intervals that are interesting or even witty, so people will engage.

  • Remove communication and reporting roadblocks.

Encourage employees to report anything that could pose a cybersecurity threat. “See something, say something” has become more than just a successful TSA campaign slogan: it’s a mantra that everyone should now embrace as they work. This can only succeed if the company creates quick and painless reporting processes. Remove roadblocks to communication and reporting by establishing pathways within existing tools, such as Slack, and structure these channels as opt-in so that employees who join feel they are actively helping contribute to the company’s security efforts. Make reporting phishing attempts as easy as clicking a button within their email platform. Leverage DevSecOps tools that plug into CI/CD workflows to make it easy for software teams to find and quickly fix vulnerabilities before pushing code into production.

This reporting approach creates a win for everyone. Those who report vulnerabilities feel like they made a difference without being inconvenienced. The reports give security teams a lot to investigate, but employees can often offer critical context that helps identify real threats. These details can make a difference when investigating and triaging potential issues.

  • Positively reinforce good behavior.

Security’s goal of preventing and mitigating bad outcomes can often lead to negative reinforcement. Examples range from fairly mild, such as red warning banners blocking emails, to extreme, such as departmental ratings or “lists of shame.” But too often, those who exemplify security best practices tend to fly under the radar.

Security leaders will see a substantial shift in engagement and participation by emphasizing positive reinforcement and public recognition. It’s often quite simple: put a security gold star next to the names of employees who have reported security concerns on Slack. If employees see their coworkers engaging actively with security, they will also want to contribute.

  • Adopt a “yes, and…” approach.

Once security has built a collaborative foundation, adjust how the department handles new technology and project requests. This requires saying “yes, and…” whenever possible instead of “no.”

Anyone familiar with improv knows the value of “yes, and…” — agreeing with someone, but adding another angle. For security, this means recognizing the value that a requested tool or integration could provide, identifying possible risks, and determining whether saying “yes” — perhaps with some caveats or considerations — can help the company mitigate risk.

For instance, a request for a new type of HR software may reduce some manual processes, but there are concerns about how the data gets managed. In this case, the security team may approve the use of the software, but require that some features are turned off. If the company achieves the desired benefit, the experience will remain positive for everyone involved, and the team making the request will more likely consult with security in the future.

Building a collaborative security culture that starts with “yes” directly impacts how effectively security teams can protect their companies. If communication and reporting are painless, finding and neutralizing potential risks will become easier. Continual positive reinforcement and working together to achieve desired outcomes will foster a culture that prioritizes security, ultimately improving employee experiences and creating a thriving, more secure business environment.

Ryan Davis, chief information security officer, NS1