Create A Positive And Effective Cybersecurity Environment; Abolish The Shame Culture

Incorporate these tips to establish a positive reinforcement cybersecurity culture rather than a blame-and-shame game.

It is common in organizations to name and shame the people who have caused a cybersecurity issue. But doing so is neither going to be a permanent solution nor a healthy method to follow. That's why it's important to create a positive cybersecurity environment. Scott Matteson has written for TechRepublic on a few tips that need to be established for positive reinforcement for cybersecurity. 

Here is what he has written:

  • Providing workers with a positive experience and teaching them to value their role in the company is a great way to encourage them to comply with the policies. In addition, this practice is beneficial for the company as a whole.

  • Even a small recognition from management for reporting phishing emails or completing training can be enough to foster an environment of positive attitudes towards cybersecurity principles.

  • Cybersecurity culture is nearly impossible to quantify due to the absence of measurement tools. As a result, many companies strive to measure their security metrics' human element by conducting phishing or social engineering campaigns to employees to see how susceptible they are to hacks.

  • The flaws in this argument are that simulations may put workers into uncomfortable positions and lead them to resent security teams. This is a costly solution with little benefit.

  • Embarrassment rarely accomplishes anything positive, and from a security perspective, has been thoroughly discredited. 

  • Attacking employees doesn't improve cyber-resilience as much as it negatively positions your team internally, making it difficult to get people on board with initiatives. 

  • The best security leader should implement tactics and technologies that create a frictionless experience for employees."

  • Rather than shaming employees and then coaching them, IT and security leaders should provide a frictionless security strategy that doesn't frustrate workers when they need it most.

  • Engaging in security initiatives as an organization rather than an IT mandate is one way to protect your team. It's important to note that engaging in security initiatives - not just as the IT department - starts with a culture of openness.

What We Think?

IT leaders should always work with the assumption that their employees are always on the organization’s side. For example, when employees download shadow IT, we've noticed that it’s because it helps increase their productivity and is not out of any malice. IT leaders should educate their peers about how important cybersecurity is and involve them in the procurement process.

You can read the full article here.