Is security starting to ruin your employee experience?

Belton Flournoy at Protiviti argues that CISOs must communicate clearly across the whole of the organisation if they are to promote a culture that responds positively to cyber-security

 

As organisations embark on their digital transformation journeys, security considerations remain integral at every stage. As a matter of fact, Protiviti’s Top Risks survey of over 1,000 global board members and C-suite executives ranked cyber-threats as the 3rd ranked risk (up from 15 in 2023).  

 

The problem for many organisations, though, is that security is either brought in too late or avoided altogether due to the never-ending requests for compliance they seem to bring.  

 

But, what are the most common obstacles and ways to overcome them?  

 

Understanding the role of security is probably the most common, accidental oversight!

 

As we continue to race to the future, the introduction of cloud and SaaS systems is enabling implementation teams to do more upfront, with less consistent visibility across the organisation. This leads to architects and engineers defining a process and then submitting it to security for approval, rather than designing things from a security-first perspective.  

 

Ensuring your people understand the role of security in your organisation is important. As a CISO, your role is to ensure the people in your organisation understand ‘the reason’ you are trying to protect the business rather than just the controls you are looking to put in.  

 

Change from focusing on cyber-awareness to storytelling—bring your employees on a journey they care about. 

 

Imagine getting an urgent call from your boss asking you to help transfer $240,000. This happened to a British energy company’s CEO when he transferred $240,000 of the company’s money into the scammer’s account.  

We know cyber-crime exists, yet many cyber-awareness programs place an emphasis on the ‘controls’ they want people to understand and less on the ‘what can happen’ if there is a breakdown.

 

CISOs need to bring people on a journey, ensuring they understand the implications of not having strong security controls and their role in protecting the business. Use real-world examples to better showcase what can happen.

 

Telling an employee not to click suspicious links through a campaign can help, but sharing with them how an Australian co-founder lost $8 million of his company’s money through joining a Zoom link will provide context to help them understand the implications of a wrong click—with information being retained up to 20 times more if shared as part of a story.  

 

Adopt an employee-first mindset… After all, we already have a customer-first one, and if anything, our employees should matter just as much to us as our customers.  

 

The CISO and his team should be partners to the organisation, not just service providers. The CISO’s role is to protect the organisation from cyber-threats, while enabling efficient business operations.  The disconnect occurs when security teams focus on the best security while overlooking the impact on their actual employees. 

 

An example of this could be extreme password requirements in an organisation that does not have SSO—are people really meeting your complexity requirements, or simply using PASSW@RD123...  

 

Understanding how someone executes their role on a day-to-day basis is just as important as understanding what security controls need to be in place. It is the security team’s job to ask the right questions, so that when the solution is developed, it considers both security and the user experience.  

 

Finally, and most importantly, don’t stifle innovation with process.  

 

Loss of IP, reputational loss, compliance and regulatory fines—the risks that strong security controls help to prevent are long. However, the landscape is now changing at an ever-increasing rate, with more innovation required in cyber-security to keep up with the ongoing trends, including Zero Trust, Artificial Intelligence, deepfakes, and quantum computing to name a few.

 

According to Protiviti’s Top Risks survey, top risks #6, #7 and #10 all have a role to play, which include: 

• Risk #6: Adoption of digital technologies requiring new skills in short supply.
• Risk #7: Existing operations and legacy IT infrastructure unable to meet performance expectations, as well as “born digital” competitors.
• Risk #10: Ensuring privacy and compliance with growing identity protection expectations.

To remain competitive, organisations must balance security control with technology innovation so that they can rapidly develop new offerings and enhance their technology landscape while focusing on security. 

 

The solution is never to outright ‘ban’ new technologies but to find ways to capitalise on them. An organisation can look to ban the use of ‘ChatGPT’, or they could look to upskill their employees on how to effectively use it or build an internal one to protect companies’ secrets.

 

Either way, focusing on understanding how technology can benefit your organisation is a better starting point than putting it into the ‘block until we have time’ category.  That way, you just might end up being the next Blockbuster when it laughed at Netflix’s mail-order origins.  

 

---

 

Belton Flournoy is Managing Director at Protiviti

 

Main image courtesy of iStockPhoto.com