The best cybersecurity and privacy regimes will never work if your team members do not actively protect company efforts. Here is the precursor to how top-down security infrastructures have shortcomings. Instead, think how you can drive security from the ground up: with the support of each and every team member that contributes to your project. Here are seven key tips.
1. Retain buy-in from your colleagues
Just like health and safety standards in buildings, security and privacy practices can sometimes feel like a box-ticking exercise: annoying, but not essential. Yet, just like building regulations, cybersecurity and privacy practices are one of those things that might go unnoticed if never implemented, but that can provide a critical defense when disaster strikes.
In theory, teams at every level should prioritize cybersecurity and privacy practices. But more often, cognitive dissonance sets in and teams will make minimal or no effort to implement these practices. That’s why buy-in is so important: you must get your team to fully appreciate the consequences of lax measures.
Try referring to case studies – and communicate examples of cybersecurity and privacy gone wrong. It’s a matter of continuous, persistent education.
2. Account for the unpredictability of human nature
Your cybersecurity tools may be robotic, but your team members are humans. When you manage your teams you must be ready for potential errors. Inherently, human behavior is hard to predict and may not always behave the way you expect them to. In a hurry, data can be shared without first thinking about the implications of where it’s going, how it’s stored, and how it can be accessed.
So, while you should put in place security and compliance steps and procedures, you should also plan for those steps not to be followed. In other words, be prepared for your colleagues to flout the rules at some point and rather, put in place checks and balances to catch out any deviation from the rules.
3. Nudge your team members towards a secure mindset
Complacent or uninformed behavior can be frustrating, but you can also take advantage of human nature to achieve a secure environment. Consider thoughtful defaults for example, nudging team members to opt-in to behavior; rather than opting out by default. Try and keep your colleagues in a “mindful” state – security and privacy aware.
Also consider appealing to the emotional rather than the rational. Humans have a unique ability to ignore the rational but sometimes emotional cues can be stronger. Weigh in on the moral importance of privacy, and – carefully – impress on the fear factor of cybersecurity breaches.
4. Implement a secure development lifecycle
Security and privacy are a way of thinking, and a practice that should be inherent to the way your team functions. One practical way to ingrain secure development is to put specific processes and activities in place that your team agrees to do every time software is updated or released.
You can do it on-the-fly too, think of DevSecOps for example. It introduces security much earlier in the life cycle and pushes security responsibilities across to every team member: not just the security experts.
5. Give your team space – and reward team members well
Countless cybersecurity breaches and data loss incidents are due to human error. We all know what it’s like to work under pressure: we can’t concentrate on work as well as we otherwise would, and the temptation to take shortcuts often overrule.
A lack of motivation can have a similar effect – and employees who are downright unhappy can lead to even worse results. Not to mention the chance of sheer maliciousness. So create processes to address quality assurance and ensure projects have sufficient time for completion: avoid rushed deadlines at all costs.
6. Recognize team members that contribute to security and privacy
Celebrating success is a proven way to motivate team performance. You have a couple of options – consider a bounty program for example or create clear career pathways for team members who show that they excel in cybersecurity.
Another option is to deliver advanced cybersecurity or compliance education to employees that really drive your cybersecurity position. Security and compliance is a hot topic and team members will jump at the opportunity to add formal qualifications to their CV.
7. Measure security performance
Sure, telling team members that they are getting monitored can damage culture and have the opposite effect – driving down instead of boosting compliance. But Peter Drucker’s adage that “what gets measured, gets managed” has always had a degree of truth to it. In other words, tell your colleagues that you are measuring security and privacy compliance and you may well boost their co-operation.
It’s tricky, of course, to set up measurements for cybersecurity. In large companies it can come down to incident reports, but you could also measure issues detected in code or do spot-checks to verify that cybersecurity measures are adhered to.
24/7/365 security and privacy require a comprehensive, human approach
So, to wrap up: you can have all the technical details in place – tech tools, programmes, rules… but if your team members are not driving cybersecurity and data privacy you’ll find yourself getting stuck sooner rather than later.
The threat and compliance landscape is simply too vast, too fast moving and too complex. Creating pathways for your team to embrace privacy will strengthen your efforts for that long-time value and security.