The Problem With Cyber Security Being Everyone’s Job
It feels good to say that “information security is everyone’s job.” We like to think of it as a truism of high security awareness organizations. So, logically, we also believe that if we just say it enough times amongst ourselves, at security conferences, and to the business, cyber security will actually become a self-fulfilling prophecy. You know, like magic.
What’s worrisome is that such a simple and trite statement is easy to say and makes it easy for others to remove themselves for any level of responsibility for action. Yes, any given employee may have responsibility for security but, in their mind, their part is very small compared to everyone else who really have to carry the bulk of the responsibility. Now, multiply that thinking across the entire organization.
Additionally, even if employees can internalize that their job includes security. they often don’t know what actionable steps they need to take on a day-to-day basis. Does security really need another non-actionable platitude? With actionable steps, we’ll have another wishful phrase like “don’t do drugs” or “don’t get into car accidents.”
And, that’s a problem no matter how good it feels to say. Just saying it doesn’t make it so.
If you do want “security as everyone’s job” to be true in your organization beyond a slogan, someone will need to provide context, meaning, and actionable expectations to the statement. That “someone” is you, the cyber security practitioner.
The obvious fact is that the goal behind this saying isn’t that we want every person is to be a full fledged security practitioner. We want employees to be vigilant on key aspects of cyber security and cyber hygiene in the course of their own job. That could be finance, contracts, warehouse management. Whatever.
The challenge that we have as security practitioners is to take busy professionals in other fields across the organization and, from an enabler standpoint, present them with a compelling rationale to essentially take on additional work. They’ll need a reason to take on what they’ll view as additional work.
So, rather than focus on our needs as a security team, we need to find ways to compel each employee to follow good security practice within the day-to-day work that forms their role.
How?
- You’ll need to understand what motivates other employees.
Culture impacts the ability to make change within a “tribe”. What makes your tribe the organization the tribe that it is? Who are the formal and often informal leaders within the organization best positioned and respected that can make real change?
You’ll need to identify the levers that you need to pull that can help create informal peer pressure to be engage in more secure practices. In some organizations, the lever might be the importance of protecting the company reputation and brand. In others, it might be protecting the catalysts that drive aggressive revenue growth.
Unfortunately, I can’t you what the levers are as they are likely unique to your organization. But, I can say that the lever that compels others is there and just waiting to be found.
- You’ll need a good story.
The ability to tell simple, understandable stories helps provide context to broad audiences in an easy-to-internalize way. While you’ll be telling these stories to groups, you should also intertwine various culture and motivation levers so that employees individually feel like they are the star of the story that you are telling.
Hone the right message at the individual level and everyone will collectively feel like they own the responsibility for security.
- You’ll need to set expectations and give guidance
The message that is told through your story will need to be actionable. Employees should know what they are expected to do. The expectation can’t be that they’ll read a 10 page security policy because no one will read it. That said, an achievable expectation might be that that we ask them to follow a set of 3–4 bullet pointed practices each month/quarter. Having a format in which you can explain the “why” behind the rationale for key policies will also increase the uptake and internalization.
Remember that no one cares that you are leading if no one is following. Help the employees to follow.
- The cyber security team will need to change their approach
Employees won’t able to internalize ownership of key aspects of security if the security team is still trying to own all of the business processes.
Your team have to find time to hone new skills as well. You’ll need to be able to develop engagement plans and negotiation skills that can more easily help others see past their objections to make cyber security their job.
If security really is everyone’s job, the cyber team will need engagement with literally everyone. The team can’t be working in vacuum. This means taking off the mask, and looking up from the tool consoles and the framework documentation to actually speak with people in an engaging and compelling way…and them help them cross your finish line. .
With the above approach, you’ll have a shot at making security compelling enough and actionable enough to make security part of everyone’s job.
You’ll know that you’ll have been successful when the empty platitudes are replaced with real actionable steps being communication. That gives cyber teams a fighting chance that everyone, in the form of any individual employee and contractor with access to your systems, apps, and data , will understand what their part of ownership around cyber security really means.
At that point, you’ll be saying things that provide more value to the organization than just feeling good.
For more insights into how cyber leaders can best enable the business and build rock solid cyber programs, please follow me on Twitter at @opinionatedsec1
