In one of our previous updates, we highlighted the importance that making security a part of your organizational culture played in keeping your remote workforce secure during the COVID-19 pandemic. But what does that entail? In this post, we’re going to flesh out key steps that security teams and their leadership should take in order to make a strong culture of security a reality within their organizations.
1. Security culture is inseparable from the values of your organization’s leadership
Like any other organizational value, building a culture of security starts at the highest tier. Invested stakeholders, usually starting with senior leadership, must cascade the kinds of cultural changes they want to ascertain by helping spearhead initiatives that will ultimately transform their organization. Although it is IT’s job to teach and have interaction with employees who break security policies and don’t follow security best practices, it might be very difficult for IT to function in a corporation where leadership doesn’t embody the values needed to take care of a secure organization at the highest level.
While security teams and leadership have historically talked past each other, there is a growing understanding that leadership must play a crucial role in fostering a culture of security by investing in security teams and setting the expectation that security is taken seriously across the entirety of the organization. Luckily, a growing number of security teams have found a standard language to debate these issues with the board and C-level executives – the language of business risk assessment and security performance benchmarking. When security leaders and business leaders speak the same language, it’s then that business leaders will begin to understand their role in shaping their organization’s security posture. This will motivate them to enshrine security as one of the organization’s core values and enable processes like best practices documentation and security education programs to play a critical role in employee onboarding and training. With this in mind, it might be challenging for organizations whose leaders don’t already appreciate the importance of security to adapt to the security challenges of remote work. Assuming these processes are in place within your organization, now is the time to update them to appropriately reflect the risks remote employees may encounter while working from home. However, if such processes are not in place, implementing them will obviously be a critical goal going forward.
2. Employees must be made aware of how important security is to the organization and how it impacts their work
Whether or not your organization has training and documentation in place, it’s a brilliant idea to reiterate the importance of security best practices to employees through company-wide communications channels and remote events like security discussions and training. This is actually true given that many employees are adopting new technologies to work and collaborate remotely while facing new and emerging sorts of malware and social engineering. Your aim as you educate employees is to remind them that security is critical to the health of the organization and that the safety risks they face effectively translate to job performance. Ultimately, an employee suffering from a security incident will be unable to perform their duties making it vital for them to broadly grasp the kinds of cyber threats the organization faces.
3. As you educate employees tie it into personal learning
A good security education program effectively serves a workforce development function. Getting employees to see this will improve employee buy-in and make them more readily embrace security education. In addition to the previous point of tying security education to organizational health and improved job performance, you should also highlight that security education will make employees good digital citizens which will help them in their personal life and in future roles. To reflect this mindset, security teams should whenever applicable highlight when security lessons apply both on the job and off the job.
4. Encourage employees to apply what they’ve learned
Building and revamping security education programs for the remote work era is just half the battle. Getting employees to apply what they have learned by identifying and potentially stopping incidents is the ultimate goal. Comprehensive security education programs should often be paired with periodic simulations (like phishing tests) where employees can demonstrate their security savvy and know-how. Employees and departments that are successful in identifying real or simulated incidents should be recognized for doing so during performance reviews and evaluations.
5. Build a security resource library
Most of this post has focused on the nature of security education and awareness programs; however, documentation is a crucial resource for employees also. Good onboarding documentation, like your employee handbook, is critical to setting the expectation that security is vital. However, your organization should more generally provide other documentation. In most cases, this may take the shape of a security resource library which should contain plain language summaries of company security policies, also as descriptions of cyber risks relevant to your company. You might also choose to include learnings from previous security training in the form of videos or other interactive content. Finally, you’ll want to make sure you’ve assigned a stakeholder to manage and maintain this library and encourage employees to review it periodically in order that they stay updated on what they have to know and understand to remain secure.
If you have already got such a resource, it will naturally be an excellent channel to provide employees with the lessons they’ll need to stay safe while working remotely. If not, it’s not too late to build a comprehensive one. You might find that some of your existing security content can readily be turned into materials to give remote employees the security insights they’ll need as they navigate the security risks of remote work.
This article was originally published at nightfall.ai