The information security industry frequently utilizes the phrase “people, processes and technology” (PPT) to describe a holistic model of securing the business.
But though this phrase is repeated ad nauseum, we seem to have forgotten one of those three primary pillars: people.
In an effort to secure things technically, we prioritize the protection of our processes and technology, while ignoring a critical element to both the success and security of organizations. While it is common sense to prioritize humans – our first line of defense against cyberattacks – too often we only focus on processes and technology, leaving a significant part of our environment dangerously exposed.
Forgetting the people of the PPT approach is like operating a car without airbags. Perhaps you cannot physically see the hazardous gap, but the drive will be incredibly unsafe.
How do we mitigate this gap? By recognizing that people matter. In the information security domain, we place extensive premiums on the focus of the technical, which leads us to neglect humanism, soft skills and the human capital of the business.
Avoid disempowering your staff
Security professionals often describe humans within the cybersecurity space as the weakest link of the system. Security staff often use this phrase to describe everyone but themselves, which does little to enable trust between internal teams or to encourage collaboration among cross-functional groups. In addition, it cultivates an “us versus them” mentality, which is damaging to professional relationships and the success of our information security programs.
Even if people are the element most susceptible to phishing attempts, or the link most likely to be negligent in security practices, it becomes incredibly difficult to foster a culture of security awareness if we demoralize or denigrate the individuals we need to help drive our security priorities.
How does a security team avoid disempowering fellow employees? The solution is quite simple: be aware of the words and phrases you use to describe the people of the PPT model. Develop trust by utilizing positive language during communication and approaching all staff with respect when informing them that security is the responsibility of all employees. You will more effectively keep the attention of staff when you demonstrate that you respect them and indicate that you view them as a primary element of keeping the organization secure.
Steer clear of “My way or the highway!”
The stress of constant security incidents and continuous fear of potential data breaches lead many security teams to operate with a rigid, iron-fist management approach. Instead of allowing security to better enable the business, ideas and programs are forced through and collaboration is thrown by the wayside in the name of making our environments more secure.
While this certainly does not make us popular within the workplace, it also contributes to a lack of trust between security and other business functions. Trust is critical to the success of our security paradigm, which means we must take every opportunity possible to ensure that security enables the business. Without trust, the people of our businesses will not follow our security policies, report suspicious activity, or see cybersecurity in the organization as something they are directly responsible for.
Is it possible for security teams to operate in a flexible, and collaborative manner that guarantees the advancement of the security program, while simultaneously not hindering the day to day work of other staff?
Most definitely. And the solution, like the above, is free, and requires no processes or technology. Be open to opposing opinions regarding the implementation of your security project or program. Approach others cooperatively on how the integration of a new security tool or application should be managed. Asking others, candidly, if there is a “better” way to address a security problem is a wonderfully collaborative way to engage within a culture of teamwork.
Those outside the security team may have ingenious approaches to fixing security problems that we may never have thought of – solutions that both mitigate the security issue and don’t hinder the day-to-day work of employees. Acknowledging the skills and expertise of other non-security teams allows us to discover more innovative ways of approaching a security problem.
Continue to implement technical controls but consider implementing another element into your governance model: people matter. This value, though it sounds simple, is an effective way to not only manage security risk at an acceptable level, but also to ensure that we cultivate our security models holistically.