It’s not easy being the “Department of No,” those security people who block access to everything—the ones who force employees to change their passwords and use multi-factor authentication. Security itself isn’t the problem; in fact, it’s an asset. But when people across the organization see security simply as a barrier, security practitioners end up feeling not just overwhelmed but also underappreciated—and sometimes flat-out disliked.
In a recent study published by Thycotic, nearly two thirds (63 percent) of the 100 survey respondents confessed that their organizations have a negative perception of them or their security teams. In many cases, employees categorize security as the company’s doom-and-gloom naysayers. Even more troubling is that 36 percent of survey respondents said their organizations view security as a “necessary evil.” That label conjures up images of people sighing heavily with loud and long exhales accompanied by eye rolls.
A little more than 1 in 4 respondents said the culture of their organizations is such that most feel security is a technology process that should run in the background and go largely unnoticed in day-to-day operations—and so, too, should the professionals in charge of those technologies.
The Danger of Apathy
Despite the fact that I work remotely, improving security awareness programs is top of mind for me. But outside of the industry, does anyone see the value that security practitioners bring to the business?
Having just completed the Certified Security Awareness Practitioner (CSAP) course offered by InfoSec Institute, I am deep in reflection mode, thinking a lot about how to make security matter to humans. It’s long been a favorite topic of mine.
InfoSec Institute’s chief evangelist, Lisa Plaggemier, who taught the CSAP course, said that the first step in developing a security awareness program is to understand your audience. If the Thycotic study is a sampling of the views of the industry at large, many training practitioners are trying to change the behavior of people who see security as a nuisance.
That leaves awareness programs tasked with creating content that will actually grab people’s interest and bring them to the point where they actually want to learn about good cyber hygiene. When that happens, there is a better chance they will eventually change their behavior.
Yet, 13 percent of the good guys and gals who are in the trenches defending the business against myriad threats every day say that they experience negativity toward their team and their work “all the time.”
Befriend the Defenders
That’s a people problem. Maybe it’s a Pollyanna perspective from a remote worker, but shouldn’t ensuring that their employees are not treated negatively by their colleagues be a top priority for every organization?
Here’s the reality that every company is faced with today: Security is a business risk that only can be mitigated when people, processes and technology are working in harmony. However, according to the study, almost three-quarters (74 percent) of security professionals reported negativity or indifference regarding the introduction of new security measures and policies.
Only 41 percent of companies have a CISO in place on the board and only 44 percent of respondents said the C-suite values their security teams and sees them as a positive force for innovation, according to the study.
“At a time when security teams are under huge pressure and play an increasingly strategic role within the company, it’s disappointing that they’re not feeling valued either by their co-workers or by senior executives,” said Joseph Carson chief security scientist and advisory CISO at Thycotic.
“The fact that negative opinions are rife among employees also suggests that security teams need to work harder to communicate the strategic importance of their roles to the business and reinvent themselves as ‘facilitators’ rather than ‘enforcers’ who enable the business to run smoothly.”
Spreading the Message of Security
Key in Carson’s message is the word “communicate,” a soft skill desperately needed if security teams hope to reinvent their image. Companies need to do more to change the culture of their organizations if they hope to dispel the myth that security controls and programs serve little to no value and only hamper productivity.
For other departments to understand what security is trying to achieve, companies need to move in the direction of creating a cyber-aware culture. Culture isn’t created through policies and controls, though. Culture is built through communication, not a dense poster filled with information that no one reads or an annual computer-based training that employees click through while they are on conference calls.
A security-aware culture can be built, but it can only be done through interpersonal engagement. If the business hopes to mitigate the risks from cyberthreats, security and security teams need to be seen as critical to protecting all of the business, which include its employees. Let the technical people do that job.
On-Board Soft Skills to Build a Successful Security Team
The fact remains that humans are the weakest link in the security chain, which is why the security team needs to include more than technically savvy folks. A strong team should include security-minded professionals who also possess the soft skills needed to make communicating the team’s goals across the organization easier.
If security practitioners want to feel more appreciated, they need to tout their strengths but also identify their weaknesses, then find a way to compensate for those weaknesses by building a well-rounded team of ambassadors who can go out to the rest of the organization and re-brand security. Adding a people-person to the security team says that the team values people, and the people will, in turn, start to value security.