A series of 3 monthly blogs from Mo Amin and ‘Restricted Intelligence’
Part 2 – Trust Issues
Let’s be honest, there are still plenty of security departments out there that are still seen as the “Department of No”. It’s become a bad cliché. Historically, they haven’t endeared themselves to the business, chucking out a blanket “no, you can’t do that” attitude without an explanation of WHY or even offering an alternative solution. Lack of approachability or just plain lack of interaction adds up to a massive trust issue. Meaning your internal brand, in comparison to other business units, is seriously lacking in clout. It shouldn’t come as a surprise then, when you begin work on your security culture programme, you’re in negative equity. This why you need to start establishing trust and building your brand from the ‘get go’. In fact, this act in itself can be the beginning of your security culture programme; plan it like a marketing campaign – get to zero first!
Get stuck in
Where possible share successes and failures. Be up front: ‘We stopped ‘x’ many incidents this month but ‘y’ is something we didn’t catch’, and talk about post incident lessons learnt. It makes the security team human and credible. Become the conduit – walk around and engage. It may seem radical, but actually ask people – Comms, Finance, HR, legal, whoever – what they would like to see from a security point-of-view. Find out their specific issues and pain points. For example, what happens when the CEO’s email gets spoofed and sent out? You will get responses that unearth a whole new layer of understanding – ‘I’ve been told to look out for phishing emails, but what I do next is unclear or slow or complicated’. Take Team dynamics, for example, that’s a whole nest of competing objectives, ranging from displays of self-preservation tactics to passive/aggressive ‘leg dragging’ that just put the brakes on progress. You have to understand issues and priorities on the ground. Which team has what objectives, reporting outputs? What are they working towards? Remember those ‘security champions’ in the last blog post – this is their moment to take the spotlight. In short, don’t be a team that totally ignores the team dynamics, and interactions of different departments being played out right before you. Grab your security culture study, whistle up your security champions and ride out on to the range, eyes and ears wide open.
Take a look in the mirror
Sometimes there’s a cultural issue in the security function itself which reflects the differences between personalities in the technical vs non-technical aspects of security. I’ve had instances where I’ve gone to talk to someone doing technical work and was told I needed to talk to someone on the “other side” meaning the individuals working in project risk, awareness, policies and processes. If you can’t get your internal team on the same playing field then what hope do you have in affecting security change across the business?
Be seen, be known … be generous.
This is the opportunity to have some fun. Create a ‘brand’ for the department starting with a tag line and/or logo. Definitely involve your Comm’s or Marketing team for a bit of creative collaboration. Whatever campaign materials you do run though, be it ‘Restricted Intelligence’ or something else – be visible. And step 1 to visibility is a team profile – complete with pictures, bio and a 30 second video clip of each member of the security team. This is a great way of putting a face to the faceless. Show that every member of the security team is a professional. Encourage them to share their experiences on personal security in a blog piece that offers a bit of advice. Become known for helping without expectation of reward. Have guidance available that helps staff with security at home – such as cyber-safety – while using online banking or keeping their kids safe on social-media. This is the stuff people really lose sleep about. If you’re being more visible, you need to extend this openness to what comes back at you. Companies often don’t have a clear, easy and defined route to feed back the nature of their problems. By making this as frictionless as possible, for example, by making it easy for staff to report suspected phishing emails/breaches/incident you’re taking a huge leap towards building positive security culture.
Next month we’ll be asking the big question: ‘Is your platform ready?’.
Mo Amin is an independent security culture consultant
‘Restricted Intelligence’ is an Information Security Campaign delivered through 5 Seasons of highly entertaining short sitcoms.