Cyber security is about culture as well as tech

Cyber security is about culture as well as tech

Lakshmi Hanspal, Global Chief Security Officer at Box, explains how soft people skills are just as important as technology skills for cyber professionals

As the Covid-19 remote working period stretches on, it seems more and more unlikely that we’ll see a return to the old days of the office-based 9 to 5. While many businesses are welcoming the increased flexibility and productivity that remote working brings, we have also seen the security landscape evolve dramatically as a result. Recent research by the Cloud Industry Forum found that 41% of businesses with operations in the UK agreed that their remote working solutions were not as secure as the office, while the vast majority (83%) said that they had changed their IT strategy as a result of the pandemic.

Yet securing remote work isn’t solely the job of the IT team. It ultimately requires an organisation-wide culture of trust. Senior leadership needs to be able to trust from the beginning that their teams have secured systems for remote work. Customers need to trust that their data is protected. Employees need to trust that there are systems in place to support them.
To get it right, companies need to weave trust throughout their entire ecosystem and make security part of every job description. This will enhance trust among the people, processes, and platforms that contribute to secure remote work.

A trust-based approach

It’s commonly said that humans are the weakest link in a company’s cybersecurity strategy. Unfortunately, the risks posed by employee behaviour are far harder to monitor when working remotely, as backed up by recent findings that over a third of UK remote workers are allowed to use personal devices to access company applications and networks. Even more worryingly, a fifth of remote workers recycle their work email or password to log into consumer websites and apps.

Being confident in your cybersecurity strategy crucially means being confident that you can trust your team. The most effective way to enhance trust throughout your ecosystem is to acknowledge that it will always be a work in progress. 

In my experience, the most effective way to build trust is to listen, learn and lead with empathy. When people tell you that security protocols are difficult to follow, don’t lecture them — seek to understand and find adoptable solutions. Encourage people to speak up about mistakes, and reward proactive behaviour. Trust within an organisation multiplies when it is generously and wisely given, and when people feel heard.

Aligning with business objectives

Unfortunately, some aspects of security practice have earned a bad reputation over the years, as well-meaning IT teams implemented security solutions that placed barriers between people and the information they need to do their job. The fact is, people will find a way to work around security measures that don’t align with their business needs. As long as end-users see security as something that gets in the way, we will always face unnecessary risks. Effective security comes from having tools and solutions that are easy to implement and follow. 

My philosophy is that the best security solutions are built in, not bolted on. This means giving employees guideposts to facilitate their decision-making without stifling their productivity and trusting them to succeed. Technology can help us achieve this, such as using AI-driven tools that can automatically apply security classifications to different data types. But the goal is bigger that the tool: The point is to seamlessly integrate security into workflow processes without imposing new hurdles.

Investing in frictionless security solutions creates a sense of ownership and accountability among users for the content that they create and share. This helps individuals realise that they’re bigger than just their title in a company, which grows the trust ecosystem.

Overcoming distractions

Trust is a two-way street. Security professionals know that end-user behaviour is still one of the biggest risks to security, but I also believe that, with the right approach, end-users can be the biggest security advocates. Educating users about security threats and best practices is often seen as a “nice-to-have” that gets forgotten when a crisis emerges. However, this is exactly when security education is needed most. Social distractions have long been a primary threat, and the success rate with attacks is higher when everyone’s attention is diverted elsewhere.

Workers are more distracted than ever in this pandemic, with many employees working from makeshift home offices, surrounded by families and pets, maybe in multi-purpose environments like kitchens and bedrooms. Yet, these same people still want to make good decisions, and they can be trusted to do so if they have the right support. Developing and communicating clear policies about trusted devices and regularly sharing information about the changing threat environment will help establish and reinforce a strong security culture.

Organisations that don’t already have strong education programmes don’t need to tackle this alone. They can look at leaders in this space to support them in ways that organically mesh into the culture of learning within an organisation.

Why does that matter when securing remote work? Because it creates a work environment full of empowered people who feel invested in the company’s success — which is a trust-based security posture that money can’t buy. 


Lakshmi Hanspal is Global Chief Security Officer at Box

Main image courtesy of iStockPhoto.com

Copyright Lyonsdown Limited 2021

Top Articles

Usability and email security

When employees understand how their behaviour impacts email security, they become much more efficient at detecting scams, preventing data breaches, and protecting sensitive information.

The pen testing guide you never thought you needed, until now…

Security testing should be at the centre of any cyber strategy,

Institute of Cyber Digital Investigation Professionals launched

CIISec & College of Policing are announcing the independent launch of the Institute of Cyber Digital Investigation Professionals (ICDIP)

Related Articles