4 tips for building a strong safety culture

To better protect data, security teams need to create a culture of personal responsibility rather than blame and intimidation. The following are the practices of two security executives.

Security teams can’t protect what they don’t see. While monitoring tools are getting better and better, end users and business managers need to tell IT and security teams what data they use on different applications, especially when problems arise.

Corporate culture such as blame and intimidation in security means that end users won’t tell you if they are using an unapproved app, click on a malicious link, or see unusual activity. It was too late until the problem occurred. Security teams should build a culture of personal responsibility for users so they can treat data security like corporate policies like health and safety.

Blaming culture will only make security worse and worse

Treating people as a weak link and creating an environment in which employees fear retaliation for security failures is not a good way to run a business. However, some companies tend to take some extreme measures to punish the victims of the scam. A Scottish media company fired and sued an employee after a phishing scam because the scammer pretended to be the general manager of the company who defrauded about 200,000 pounds ($250,000) from the employee. Brian Krebs recently announced a number of cases in which employees were fired for failing to simulate a phishing test.

This culture of blame will only make employees afraid to stand up when problems arise… and put data at risk. “These people who deal with information can’t be a weak link,” said Mark Parr, KPMG’s chief information security officer in the UK. “I want to make employees feel approachable. If they make a mistake, they can tell me. It’s all about building trust, and my colleagues feel that I’m actually supporting them instead of punishing them after things go wrong. “”

To help build trust between security teams and employees, KPMG launched a program to recognize employees who have discovered security issues within the organization. Parr said: “I want to develop this culture, let people be happy to tell me, or after problems or things happen, they can report to the service desk. We have an internal system, we will praise employees, other employees can also see If someone comes to me and says ‘I noticed this problem’, then I will let their direct supervisor know that this person has actively stood up and reported the problem.”

Graeme Park, head of global security operations at The Hut Group (THG), a UK e-commerce retailer, warned that whether employees use BYOD (bring your own device), access personal e-mail from a work computer, or access work emails from a personal computer, Personal SaaS (Software as a Service) accounts are also used for business purposes, and poor personal security is a factor in corporate attacks, given the relationship between business and personal systems, applications and devices. Companies can combine control and training without the need for intimidation. “This is a retraining issue,” Park said. “The goal is to make the security department approachable, rather than knocking down employees so they can never turn over.”

For example, Park often “small problems” in network agents, while recording everything, including warnings about user access to violating websites and asking users to provide reasons why they need to use the page. He said: “You should instill safety knowledge in the exercise of your control, let them think and let them prove themselves. If employees do this, then they will consciously decide whether they are doing what is right and safe. Whether it meets the requirements.”

“They also know that they will be reviewed at this stage, which will actually make them think more. This also gives them more power,” Park added.

Characteristics of an excellent safety culture

If the culture of blame is not good, what should an excellent safety culture look like? KPMG’s Parr believes: “People are subconsciously aware of the risks associated with daily activities and have the confidence to reduce risk or deal with risks. We must abandon ‘everything is fine, the Chief Information Security Officer will handle this idea for us.”

Parr and Park believe that chief information security officers should focus on providing a strong security culture in four key areas.

1. Make security easy to understand

Since Parr served as Chief Information Security Officer more than a year ago, KPMG UK has been changing its in-house safety culture and educational approach to ensure that the company’s 16,000 UK employees in 27 locations are safety-conscious. At the same level. Parr said: “A good culture can make people feel confident and caring about information security, rather than feeling that they are a science or metaphysics.”

A key aspect of creating a culture of security awareness is to make the audience happy, for which KPMG’s safety education content is written in as simple as possible and is suitable for employees. Parr said: “I hope that employees’ views on information security at home are consistent with their views at work. It is critical to set clear directions for employees by setting real-life scenarios.”

“Whether it’s the front desk staff who help customers get into our customer demo suites, the people who are auditing, or the technical team members who help customers solve technical problems, they can understand as long as the language is the same.”

This basic knowledge will make it easier for end users to understand, which in turn means they will take the security of corporate information more seriously because they can imagine the consequences of the mistake. Parr said: “For me, the key to success is responsibility. If employees think they understand why they are responsible for the processing and management of these data, then I am right.”

2. Provide continuous awareness training

As part of this cultural change, KPMG has gone from demonstrations and assessments to what Parr calls the “continuous instillation of awareness”, which is to develop awareness through activities, training, video and podcasting. “Look at the slides, click as fast as possible, answer the last 20 questions and hope you pass, but these don’t really show me anything, just that you can remember some of the information on the slide. What I want is Let people know some rules and guidance, know what they can and can’t do, and their roles.”

Parr said: “The first thing to do is to use very simple language, easy-to-read policy files, and compress these files into small news hotspots to attract people to take time to read them. Then with a small video of three minutes, It is convenient for people to watch these videos on their way to work. The purpose of this is to keep the awareness instilling activities and keep the employees in the middle of being reminded.”

While it is difficult to measure culture, Parr also works with the company’s learning and development teams to develop engagement metrics around how many employees are listening to podcasts, watching videos, and interacting with other security content being produced by the team. This helps to get an indicator of whether the training material resonates with the staff.

He added, “I also need to constantly consider new ways of interacting with employees, not only to remind them of security, but also to involve them more in the things I am trying.”

In order to enhance the enthusiasm of employees, the company’s senior management regularly encourages employees to watch, read and listen to these security materials. Business information security officers are required to work as an information security subject matter to deepen their business and encourage employees to participate more directly.

3. Cooperate with employees who use Shadow IT

It is unwise to stop employees from using unapproved applications (called shadow IT) on the grounds of security. Park believes that “shadow IT has always been a problem, and the driving factor behind it is actually IT systems everywhere, whether it is software or hardware, whether at home or elsewhere.”

“These people are not bad,” Park said. “They didn’t try to use shadow IT to deliberately circumvent corporate policies or corporate security policies. Usually, they just want to do their jobs better and faster. This is the IT and security department. The failure, we can change from a blocker to a promoter, ensuring that employees have the tools they need to get the job done.”

Park said that the scope of shadow IT involves SaaS services, unapproved desktop applications, and some “small but influential things”, such as with Slack or JIRA, browser extensions, and even Amazon on the corporate network. Integration of devices such as Alexa. Regardless of the form of shadow IT, IT and security should accept them in a more open manner. If you are punished for fear of violating company policies, then users will never tell the IT department what they are doing.

Park said: “At this point, we have to be smarter and more flexible. Anyway, these things happen in real terms. If the risk of using these external tools is limited – suppose someone wants to use a design tool at work, And these jobs are not secret – then the risk of this situation may be limited. You need to be able to provide people with a degree of flexibility.”

4. Actively demonstrate excellent safety culture

Changing the security culture within an organization also means changing the way the security team thinks. Employees want the chief security officer to be a good communicator and leader. Like the chief security officer, the security team has to pursue this effect.

“The security team has not done very well in approaching the past decade,” Park said. “We rarely speak in simple language, and we have not articulated the risks based on the clarification of real basic technical issues.”

Park believes that security needs to convey information in a manner similar to health and safety warnings. “Explain to people why rock climbing should not be carried out without personal protective equipment (PPE), as the consequences are obvious. But explaining to people why they can’t use Dropbox while using SharePoint is very difficult because of their consequences. It’s not as obvious as the consequences of climbing without protection.”

“We need real participation and education to ensure that employees understand what they are doing and know what happens if they lose certain documents or intellectual property. It is of great value to frame the problem in everyone’s responsibility,” Park Say.

Parr has also been working with the security team to try to change the way they think and make them ambassadors and advocates who instill a safety culture in the rest of the company. He said: “These people are showing what a good safety culture should look like, and at the same time let their colleagues continue to see these excellent safety cultures. For a long time, information security has been seen as a business practice, which kills A lot of good ideas. Now I can’t go on like this anymore. We should let companies know how we work and promote them, so that they know that it is safe and reliable.”