Last week, we had a great discussion on Motivating Employees to Build a Stronger Security Culture with special guest Jinan Budge, Principal Analyst at Forrester Research along with Jadee Hanson, CISO and CIO at Code42, and Chrysa Freeman, Security Awareness Expert at Code42. You can watch the recording below, but here are the key takeaways.
Empathy above (almost) everything
Employees are human. Building trust and understanding the ways that they need to do their jobs (as well as the ways they can mess up) should be table stakes. It is important to approach conversations about potential infractions with employees through the lens of trying to understand why something happened. All-too-often it’s possible to receive an alert, perform a cursory investigation and come to a conclusion as to intent and impact before discussing with the employee why all of their cloud data suddenly started syncing to their laptop. Maybe it was an attempt to infiltrate or exfiltrate data or, more likely, maybe it was simply a lack of understanding of what the “trust device” dialogue means.
As the panelists pointed out in our discussion, approaching every interaction from the perspective of a desire to understand will not only build trust between employees and the security team but will also contribute to a broader knowledge of best practices and the opportunity for self-reporting when risky behavior surfaces in the future.
At the end of the day, there will be times when it will become necessary to involve legal or punitive action to protect the good of the business, however, our panelists recommend that be the last tool that’s reached for; rather than the first.
There’s a framework for that
Luckily for those of us who aren’t Jinan, Jinan Budge has done a lot of thinking about how best to deal with and categorize insiders that she places into 4 groups. The categories are organized along two axes from low to high severity breach and single to multiple repetitions of the behavior. The four archetypes are as follows:
Victim: one mistake, causing a serious breach
Human: failed one or two tests, no harm done
Troublemaker: frequent offender, causing havoc
Serial offender: high-risk employee, constant risky behavior
You can read more about what Jinan recommends in the form of interventions and further research at the blog she wrote here.
The axiom “give someone a fish and they will eat for a day; teach someone to fish and they will eat for a lifetime” is no less true now than it ever has been. Most of the time, education is the best intervention when it comes to an incident of insider risk. With that said, education shouldn’t just be “watch exactly the same modules we assign for compliance training every year” either. As pointed out by our panelists there’s a balance to be struck when it comes to educating employees; if you strike it right they will begin to steer your culture in the right direction and become an extended part of your security team. Sometimes education should be a targeted training module, sometimes it should be in the form of a conversation with the security team in either case starting with a desire to teach rather than punish is what everyone on our panel would recommend.
For the full readout of what we discussed in the session, watch the video below: