A security department may sometimes be referred to by executives as the ‘Business Prevention Department’. Cyber security professionals, eager to minimise potential risks, can put controls in place that may stifle productivity and innovation.
Cyber security professionals are often too aware of what the business shouldn’t do and forget to mention what it should be doing instead. Ok, USB ports are now blocked, but have we provided people with an alternative to share files securely? Yes, we might’ve mitigated the risk of introducing malware through a flash drive, but have we considered a wider impact on the ability of employees to perform their core business activities, and, in turn, on overall profitability of the company.
Instead of saying ‘No’ to everything, let’s try to understand the business context of what we are trying to protect and why. Because that’s what actually matters and is absolutely key when designing security solutions that work.
People often think that security is the opposite of usability. In reality, the reverse is true. Design and security can coexist by defining constructive and destructive behaviours: what people should and shouldn’t do. Effective design, therefore, streamlines constructive behaviours while making risky ones harder to accomplish.
To do this effectively, security has to be a vocal influence in the design process, and not an afterthought. But it can only regain this influence if the value to the people and business is first demonstrated.
Wondering why your security policies don’t work? Ask your staff! Empathy, communication and collaboration are vital to build a culture of security. Security professionals need to shift their role from that of policeman enforcing policy from the top-down through sanctions to someone who is empathetic to the business needs and takes time to understand them.
Security mechanisms should be shaped around the day-to-day working lives of employees, and not the other way around. The best way to do this is to engage with employees and to factor in their unique experiences and insights into the design process. The aim should be to correct the misconceptions, misunderstandings and faulty decision-making processes that result in non-compliant behaviour.
Changing culture is not easy and will take time; but it is possible. Check out my book to find out more about developing an effective business-oriented security programme and improving security culture in your organisation.
Cyber Security Leadership 