In one of our previous posts, we highlighted the importance that making security a part of your organizational culture played in keeping your remote workforce secure during the COVID-19 pandemic. But what does that entail? In this post, we’re going to flesh out key steps that security teams and their leadership should take in order to make a strong culture of security a reality within their organizations.
Like any other organizational value, building a culture of security starts at the top. Invested stakeholders, usually starting with senior leadership, must cascade the types of cultural changes they wish to see by helping spearhead initiatives that will ultimately transform their organization. Although it is IT’s job to educate and engage with employees who break security policies and don’t follow security best practices, it would be very difficult for IT to function in an organization where leadership doesn’t embody the values needed to maintain a secure organization.
While security teams and leadership have historically talked past one another, there is a growing understanding that leadership must play a role in fostering a culture of security by investing in security teams and setting the expectation that security is taken seriously across the entirety of the organization. Luckily, a growing number of security teams have found a common language to discuss these issues with the board and C-level executives – the language of business risk assessment and security performance benchmarking. When security leaders and business leaders speak the same language, it’s then that business leaders will begin to understand their role in shaping their organization’s security posture. This will motivate them to enshrine security as one of the organization’s core values and enable processes like best practices documentation and security education programs to play a critical role in employee onboarding and training.
With this in mind, it might be challenging for organizations whose leaders don’t already appreciate the importance of security to adapt to the security challenges of remote work. Assuming these processes are in place within your organization, now is the time to update them to appropriately reflect the risks remote employees may encounter while working from home. However, if such processes are not in place, implementing them will obviously be a critical goal going forward.
Whether or not your organization has training and documentation in place, it’s a good idea to reiterate the significance of security best practices to employees through company wide communications channels and remote events like security discussions and training. This is especially true given that many employees are adopting new technologies to work and collaborate remotely while facing new and emerging types of malware and social engineering. Your aim as you educate employees is to remind them that security is critical to the health of the organization, and that the security risks they face effectively translate to job performance. Ultimately, an employee affected by a security incident will be unable to perform their duties making it very important for them to broadly grasp the types of cyber threats the organization faces.
A good security education program effectively serves a workforce development function. Getting employees to see this will improve employee buy-in and make them more readily embrace security education. In addition to the previous point of tying security education to organizational health and improved job performance, you should also highlight that security education will make employees good digital citizens which will help them in their personal life and in future roles. To reflect this mindset, security teams should whenever applicable highlight when security lessons apply both on the job and off the job.
Building and revamping security education programs for the remote work era is only half the battle. Getting employees to apply what they’ve learned by identifying and potentially stopping incidents is the ultimate goal. Comprehensive security education programs should often be paired with periodic simulations (like phishing tests) where employees can demonstrate their security savvy. Employees and departments that are successful in identifying real or simulated incidents should be recognized for doing so during performance reviews and evaluations.
Most of this post has focused on the nature of security education and awareness programs; however, documentation is an important resource for employees as well. Good onboarding documentation, like your employee handbook, is critical to setting the expectation that security is important. However, your organization should more generally provide other documation. In most cases this will take the form of a security resource library which should contain plain language summaries of company security policies, as well as descriptions of cyber risks relevant to your company. You might also choose to include learnings from previous security training in the form of videos or other interactive content. Finally, you’ll want to ensure you’ve assigned a stakeholder to maintain this library and encourage employees to review it periodically so that they can stay up to date on what they need to know to stay secure.
If you already have such a resource, it’ll naturally be a great channel to provide employees with the lessons they’ll need to stay safe while working remotely. If not, it’s not too late to build one. You might find that some of your existing security content can readily be turned into materials to give remote employees the security insights they’ll need as they navigate the security risks of remote work.