teissTalk: Helping colleagues recognise and learn from their risky behaviour

On 2 November, teissTalk host Tom Langford was joined by Keil Hubert, Associate Principal, Security Human Risk Management, OCC; and Rob Flanders, Head of Threat and Incident Response, BAE Systems.

Views on news
Research suggests that situational factors play a significant role in shaping individuals’ behaviours, regardless of their underlying moral character. In the context of information security, individuals may find themselves facing situations where seemingly ethical actions might compromise security protocols. Authority figures in a company can also suggest that shortcuts are taken for the sake of meeting deadlines. Colleagues who detect anomalies might think that if no one else raises the alarm maybe this is how it should be done after all. This can also suggest that rules are optional, which can be rather detrimental to the organisation. In a culture of accountability, employees will self-report if they realize they did something wrong. Accountability is further helped in the UK by the fact that the UK Cyber Security Council has recently announced the country’s first cohort of chartered cybersecurity practitioners. The US, however, doesn’t have charters, but organisations can adopt strategic frameworks that include necessary skills and competencies for cybersecurity professionals, but implementing one is a complex task. 

Blame game versus accountability
Embracing and implementing a cybersecurity framework can be difficult and time-intensive for an organisation. As far as CISO’s accountability is concerned, in the UK there seems to be a consensus that cybersecurity has to be represented on an executive level, so its voice can be better heard. Sometimes it’s tricky to apply frameworks to organisations and roles because of the varied responsibilities of cybersecurity professionals whose role profiles are not standardised. Although you need someone such as an ambassador to encourage people to come forward, you also need a “bad cop” who will hold to account the ones that intentionally flaunt rules and tell them in a straightforward way that they’ll lose their clearance if they are hiding cyber incidents. If the rulebook comes up short, the most senior person can deviate from it relying on their expertise while also taking responsibility for their actions. People resonate with stories rather than commands, so telling them stories that you were a part of will be very impactful and make your listeners more receptive by changing their brain chemistry. Sometimes pen testers are reluctant to provide the names of individuals who made mistakes in fear of some form of reprisal from management against them., as there have been cases in those who made security mistakes were eventually dismissed.

The panel’s advice
Culture will overwrite any written rulebook or regulation. 

Empower your employees to avoid them being afraid to “rock the boat” and report the breaking of security rules. 

Without authority to remediate, cybersecurity professionals will only serve as scapegoats.