It's time for everyone to accept responsibility for cyber-security
Most organizations, regardless of size or sector, would be hard pushed to call their IT security department ‘popular’. The general feeling is these tools, together with those of us that implement and maintain them, if given their way impede productivity, hamper technological innovation and inhibit organizational flexibility. In short, some (many?) don’t see us adding value.
This feeling is compounded each time cyber-criminals prove publicly that they now have the financial strength and skill to beat many enterprises’ IT security solutions.
Time to give up and go home? No way. But we must face the truth: we are developing an image problem. One that has also faced those promoting health and safety (H&S) or human resources (HR).
The ‘what’s in it for me?’ culture
In recent times, both H&S and HR have adopted a ‘carrot and stick’ approach to effect a positive change in their image.
Health and safety folks, after establishing a grounded position as the butt of almost all office jokes, sought to get closer to workers in order to understand how to develop processes and rules that worked for everyone. Since then, a lot of time and money has been spent on employee education and engaging in internal marketing campaigns. As a result, many construction companies, in particular, now use their safety record as a vehicle through which they can promote their brand externally.
On the other hand, HR professionals recognized they could harness the tools of our hyper-connected digital age and make them work in their favor. They have championed flexible working, for example, and embraced mobile technologies, using both to recruit new talent as well as to ensure that current staff can work in ways that suit them. These changes have improved the image of HR almost immeasurably. They are now an enabler.
A new face for IT Security
So what can we learn from those guys? Firstly, we have to accept that we have to change how we operate. If we just focus on security and not on other business drivers, the messages will be lost.
If we try and dictate terms to users, or lock-down networks en-masse, operational efficiency will suffer, resulting in festering discontent and the loss of key talent from the business. At the same time, we also need to help our organizations understand that focusing blindly on workers’ digital user experience can have serious consequences. Yes, this new culture can make workers more productive, but the flood of data breach headlines over the last couple of years proves beyond any doubt that new bad habits will catch up with businesses at some point, probably sooner rather than later.
To be successful IT Security needs to be seen as enablers rather than hinderers. Rather than reactively trying to stop or descope the work of other departments, IT security needs to be part of the team that delivers new capabilities but in a secure way. Even proactively suggest new, more productive, working practices based on the latest solutions from IT security vendors.
For example, we need to work closely with HR to better support mobile workers. If we can understand the types of mobile devices staff want to use and how they’re using them, we can provide a list of approved devices and solutions. In fact, to make the process more proactive, each department should appoint an IT liaison representative.
Then the two departments can work together to agree on appropriate user policies for the organization. If staff chose to break those rules, it then becomes an HR issue, not just an IT security issue. On a more positive note, this union can really add value too, enabling a ‘chose-your-own-device’ policy that will appeal to everyone. Once we’ve agreed to the parameters that will govern access to the corporate network, and then engagement with the communications department needs to swing into action, turning out regular campaigns to educate and engage staff on the benefits delivered.
If a communications department is being given funding to design internal campaigns that champion benefits of a firm’s carbon emissions strategy, surely the same should be happening on the issue of cyber security. Ford understands this; ‘cyber security Steve’ is a campaign that the motor company is now using to educate employees on online safety.
We’re all on the same team
None of us wants to suffer accusations of ‘cyber security gone mad’, in the way that the health and safety industry has been forced to endure. Ultimately, even if we are to improve the perceptions of IT security, everyone from the CEO to the shop floor must accept that we’re all responsible for cyber-security. Only by working together will we be able to achieve success.