ApproachabilityDue to the constant firefighting nature of the security field, information security professionals can often be quick to dismiss reports from staff that appear benign on the surface. Even if an employee reports a false positive, it is our responsibility as professionals to take all incident reports seriously. We will contribute to the culture of distrust and skepticism if we take lightly or ignore the concerns that staff bring to us. Security teams need to be as approachable as possible. A concrete way to do this is to implement an open-door policy and encourage all security staff to do the same. Make sure that all employees know where to find you and welcome them to visit and contact you directly with any suggestions or concerns. Princeton University recently reported to Secureworld that they implemented an open-door policy to allow for better communication among internal teams and the cybersecurity arm of the school and how it saw tremendous success.
Foster Goodwill Among TeamsIt is no secret that internal collaboration makes life easier for everyone. It allows initiatives to be implemented faster and leads to improved processes. Effective communication is a simple way to foster goodwill among teams, which is a key tenant of internal collaboration processes. When we promote goodwill between the security group and other teams, we improve trust, which is necessary to shift staff from being skeptics to being supporters. Fostering goodwill does not have to be an arduous effort. Simply communicating positively, offering to help other teams with their initiatives and actively listening to the concerns of internal groups are easy ways to develop this trust and goodwill.
It’s Not PersonalIt can be difficult to distinguish the actual reason for skepticism from skepticism towards the individuals on the security team, but that is crucial for effective collaboration. We need to recognize that an employee’s incredulity towards security is most often towards the function, not the individual driving it. Though this can be arduous to separate, it is something security professionals must do in order to both remain professional and to advance the cybersecurity culture.
Don’t Be on the OffenseNever underestimate the power of positive language when communicating tough topics, especially those related to security. From insider threats to sensitive data privacy discussions, there is extensive research to evidence that utilizing positive language and framing, even when discussing prickly topics, can lead to better business relationships. No one enjoys undergoing what they perceive as monitoring, or dealing with a business function they believe is inhibiting their daily work. Unfortunately, those outside of security teams often associate information security and data privacy with these activities, which contributes to the culture of skepticism. While we should consistently support our information security practices, we should also take every opportunity to communicate to staff that security is a function meant to enable them, not to hinder their day-to-day responsibilities. Be welcoming of conflicting opinions regarding security, but take time to explain to fellow teams that security is meant to contribute to the success of business objectives, not to operate as a mysterious function that requires skepticism or distrust. A cultural shift from skepticism to support may not be an overnight endeavor, but it does not require anything more than effective communication between the security team and other groups within the business. Being approachable, not taking distrust of security personally, and encouraging cross-functional team collaboration are actionable items that are free and require only solid interpersonal skills. Put these suggestions into action, and your business will be well on your way to mirroring the workplace visualization mentioned in this article’s introduction. It will move towards becoming a business in which all staff support the function of information security. Implement these suggested practices, and that workplace will be well within your reach.