By Amanda Fennell, CSO and CIO, Relativity
Sophisticated security tools and well-constructed processes can help insulate an organization from the relentless cyberattacks that are part of the digital reality businesses face every day and everywhere. But tools and processes alone are two variables in an incomplete equation. People are the linchpin in any organization’s security posture—and the wildcard. Getting people personally invested in security is how organizations will strengthen their resilience to increasingly insidious threats from cybercriminals seeking a payday and from state actors sowing deliberate chaos. That investment requires shifting attitudes from general awareness of security, which most workers already have, to genuinely caring about it and seeing themselves as a true part of their company’s security defenses.
A human-centric approach to security is one where good tech and creative use of process meet well trained and empowered employees who are motivated to learn and act. Cultivating real human interest in security, or in any other practice, will never come from a work environment of blame, fear or mistrust, or even from dangling financial incentives once needs are met. So how can organizations truly reach their people and transform their defenses? Consider the following strategies.
Remember That Energy Feeds Energy
First, it’s vital to dig into some basics of the human personality. People respond to energy. Positive, energetic conversation lights up a room (physical or virtual) and acts like a magnet for human interaction. When security professionals direct the same old messages, conveyed in stale ways, to teams across an organization, it can sound like background noise. This doesn’t mean artificial hype is helpful. An energetic posture should be real, engaging and rooted in a security professional’s love of what they do. People will sense that and it’s the first step in keeping their attention—which is a sine qua non condition to make human change happen.
Understand Others’ Context and the “Why” That Makes Sense to Them
Think about an individual on the product marketing team or in engineering, operations, communications or human resources. What’s their typical day like? What tasks are unique to their role? What are their goals? How does security impact what they care about and what their job is focused on? Why does security make sense to them on a daily basis? Discover each “why” that influences employees in different roles. To borrow a concept from marketing, think about personas in a meaningful way and try to understand the exact message that resonates with different audiences.
Considering the full context in which people operate is important when organizations and security teams evaluate whether their fellow employees have the resources, tools, timeframes, and parameters to perform the security functions relevant to their jobs. Security programs must shoulder accountability for setting employees in different roles up for success.
Help People Become Curious About Security with Content That Offers Depth
When security pros have an energetic stance and convey that they understand the context in which people are operating, they are much better positioned to imbue curiosity about security in others. As soon as humans become curious about something, they get invested in it in a different and internally elevated way. Curiosity is a motivator and action-driven in people’s minds. One of the best ways to cultivate curiosity is with content presented well that offers depth and generates questions. Exceptional educators know that it’s a mistake to drone on about basics and not offer thoughtful challenges and problem-solving quests to learners.
Reviewing best practices in a creative way is good, but security programs and training should go beyond this. While exploring phishing examples and best tools to manage passwords, offer to dive into how tools actually work. Share with those who are interested the kind of training provided to security professionals themselves. Have sessions where everyone can “nerd out” and learn the nitty-gritty of how different threats invade systems. Show what a Log4j vulnerability is and how the library is exploited. Don’t be surprised when learning content that goes past the surface and offers depth generates new curiosity and a larger following!
Embrace Learning Management Systems That Enable Microlearning and Self-Service
Effective learning management systems are available that take into account the human attention span. At work, people’s regular job tasks eat up their day. Mobile devices and social media, among other forces, have advanced a kind of rapid and fragmented consumption of information that’s influenced the way we all operate. There’s, of course, still a time and place for lengthier learning and contemplation especially in one’s own area of expertise, but for people whose work is not security, microlearning can be impactful. Break down traditional, multi-hour training sessions into micro segments—small, short, sharp learning campaigns. A regular cadence of creative lessons, each shared in two minutes or so, that both reinforce and build on other short segments, caters to limited attention spans and helps people retain key messages.
Making sure that steady flow of brief, creative learning content is self-service is also key. People must be able to learn at their own pace and at times that make sense to them in their work. It’s useful to engage with a micro-module on a particular tool when a person actually needs the tool. Otherwise, the material will be quickly forgotten.
Consider Cultural Relativism When Developing Security Training and Programs
Cultural relativism is not an absolute, but a useful concept holding that a person’s beliefs and practices can be understood in the context of that person’s own culture. The U.S. has a cultural zeitgeist focused on individual freedom. Family and honor are a defining feature of Japanese culture. It’s important to balance notions of everyone being on the same page with cultural differences, while not over-generalizing or stereotyping people. But cultural distinctions can impact the effectiveness of learning scenarios and the ways in which we communicate, especially as businesses become increasingly global operations.
With cybersecurity, notions of privacy can be understood with different nuances in different cultures. The roll out of GDPR has demonstrated this, with Europeans leading the standards movement. Being empathetic to cultural differences—and language differences—means better programs and better learning.
Nurture the Trust Dynamic in Security Programs and “Testing”
Many companies engage in simulations of security breaches and testing of employee security behaviors. This can be tricky ground. Security professionals need to nurture a trust dynamic, where they demonstrate respect to their colleagues outside of the security team and are not perceived of as condescending or trying to trick others. What precedes a zero-day simulation matters. Create implicit or explicit “permission” to test people. Let them know in advance that testing exercises are about building muscle memory in security processes, not about blame. Building open and respectful relationships prior to simulations goes a long way in keeping trust intact.
Integrate Fogg and Pink Behavioral Theories into Security Programs
The Fogg Behavior Model presents a human equation. Motivation to do a thing, ability to do a thing and a prompt to do a thing, together, will yield a behavior—doing the thing desired! Think about password management. The average person, in their personal and professional life, may be managing as many as 200 application accounts, each with a password. That person may want to have distinct, strong, rotating passwords for each account, and may be requested to do so, but doesn’t have the physical ability to do it. Security professionals can step in and offer the ability, or capability, piece—the tool, a password manager—and show how to use it.
Daniel Pink’s work on motivation in the workplace, drawing on decades of scientific research, is also worth considering. In his seminal book, Drive, he evidenced that high performance at work is the result of three elements that yield true motivation: autonomy (our desire to be self-directed), mastery (the urge to improve our skills) and purpose (the desire to do something meaningful and important). Designing security training with intrinsic motivators in mind yields results.
Is it possible none of these human-focused strategies to bolster security will work with some employees? That punitive measures must be used instead? Maybe, maybe not. Punitive actions aren’t likely to change behavior in a lasting way for employees who fail to meet security standards, and they can backfire by creating resentment. If someone can’t be induced to participate in security, building strong behavioral guardrails around them and keeping the emphasis on organizational protection instead of punishment is probably the best approach. In certain circumstances, anyone, even a security professional, can be hacked.
About Amanda Fennell
Amanda joined the Relativity team in 2018 as CSO and her responsibilities expanded to include the role of CIO in 2021. In her role, Amanda is responsible for championing and directing security strategy in risk management and compliance practices as well as building and supporting Relativity’s information technology. She also hosts Relativity’s Security Sandbox podcast, which explores “the power of people” diving deeper into themes explored in this article about how people are an organization’s greatest security asset.