Managing Information Security Skepticism by Changing Workplace Culture | Tripwire

Managing Information Security Skepticism by Changing Workplace Culture

Posted on August 11, 2020
Managing Information Security Skepticism by Changing Workplace Culture
Imagine a workplace in which all of the staff support the function of information security. Employees report suspicious events, are committed to data privacy and see the value in completing the regularly scheduled compliance trainings. How much easier life would be for security professionals! Naturally, it’s hard for people to get behind something that feels foreign or is shrouded in mystery. Much to the vexation of security professionals, skepticism is a common response to the information security function within business. What problem does managing the internal skepticism to information security solve? Security is a critical element of any successful twenty-first century business. Shifting mindsets to supporting this arm makes the organization more likely to achieve its strategic objectives. Fortunately, effective communication is often the only strategy required to begin transforming skepticism into support.

Approachability

Due to the constant firefighting nature of the security field, information security professionals can often be quick to dismiss reports from staff that appear benign on the surface. Even if an employee reports a false positive, it is our responsibility as professionals to take all incident reports seriously. We will contribute to the culture of distrust and skepticism if we take lightly or ignore the concerns that staff bring to us. Security teams need to be as approachable as possible. A concrete way to do this is to implement an open-door policy and encourage all security staff to do the same. Make sure that all employees know where to find you and welcome them to visit and contact you directly with any suggestions or concerns. Princeton University recently reported to Secureworld that they implemented an open-door policy to allow for better communication among internal teams and the cybersecurity arm of the school and how it saw tremendous success.

Foster Goodwill Among Teams

It is no secret that internal collaboration makes life easier for everyone. It allows initiatives to be implemented faster and leads to improved processes. Effective communication is a simple way to foster goodwill among teams, which is a key tenant of internal collaboration processes. When we promote goodwill between the security group and other teams, we improve trust, which is necessary to shift staff from being skeptics to being supporters. Fostering goodwill does not have to be an arduous effort. Simply communicating positively, offering to help other teams with their initiatives and actively listening to the concerns of internal groups are easy ways to develop this trust and goodwill.

It’s Not Personal

It can be difficult to distinguish the actual reason for skepticism from skepticism towards the individuals on the security team, but that is crucial for effective collaboration. We need to recognize that an employee’s incredulity towards security is most often towards the function, not the individual driving it. Though this can be arduous to separate, it is something security professionals must do in order to both remain professional and to advance the cybersecurity culture.

Don’t Be on the Offense

Never underestimate the power of positive language when communicating tough topics, especially those related to security. From insider threats to sensitive data privacy discussions, there is extensive research to evidence that utilizing positive language and framing, even when discussing prickly topics, can lead to better business relationships. No one enjoys undergoing what they perceive as monitoring, or dealing with a business function they believe is inhibiting their daily work. Unfortunately, those outside of security teams often associate information security and data privacy with these activities, which contributes to the culture of skepticism. While we should consistently support our information security practices, we should also take every opportunity to communicate to staff that security is a function meant to enable them, not to hinder their day-to-day responsibilities. Be welcoming of conflicting opinions regarding security, but take time to explain to fellow teams that security is meant to contribute to the success of business objectives, not to operate as a mysterious function that requires skepticism or distrust. A cultural shift from skepticism to support may not be an overnight endeavor, but it does not require anything more than effective communication between the security team and other groups within the business. Being approachable, not taking distrust of security personally, and encouraging cross-functional team collaboration are actionable items that are free and require only solid interpersonal skills. Put these suggestions into action, and your business will be well on your way to mirroring the workplace visualization mentioned in this article’s introduction. It will move towards becoming a business in which all staff support the function of information security. Implement these suggested practices, and that workplace will be well within your reach.
Keavy-Murphy.png
About the Author: Keavy Murphy is passionate about cybersecurity, especially for new and emerging companies, and prioritizes the use of soft skills to effectively manage security and data privacy in parallel with business objectives. Previously, she served in information security roles within both the finance and consumer-directed healthcare fields. She enjoys writing about and researching the benefits of effective communication within the security space, and her work has most recently been published in Infosecurity Magazine.  Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!