by Garry Sidaway

Getting employees to shoulder responsibility for security

Feb 15, 2011
CareersIT LeadershipSecurity Software

Nothing works without responsibility. Corporate and personal success depends on it. Taking responsibility is what differentiates the blame-monger from the buck-stopper. The truly effective employee will take it upon themselves to fix what’s broken, even if it wasn’t their responsibility in the first place.

The same goes for security. How can we convince employees to be good citizens by taking personal responsibility for the security of the enterprise?

It’s trickier than it sounds, because a cultural undercurrent is pulling employees in the opposite direction. Web 2.0 and social networking thrive on user contributions, which makes them a part of everyday life for many. That everyday life often includes work, which is why IT departments have been forced to grapple with gradually encroaching consumer technologies.

These technologies are evolving at an exponential rate. Yesterday, instant messaging and Facebook were all that IT departments had to worry about. Today, Twitter, Foursquare and Quora are once again challenging corporate IT departments, forcing them to walk a difficult line between employee demand, and security.

The more that consumer-focused technologies engage people behind the corporate firewall, the likelier it is that we will see security breaches occur. They allow foolish employees to post inappropriate or sensitive company material, for example. Other consumer tools such as USB keys and webmail also make it easier to transfer data – wittingly or unwittingly – outside trusted domains, or to let malware in.

The most obvious way to solve this problem is to train and then frequently reinforce the idea of security among employees. Practical instruction is vital. Employees may know some basic security practices, such as not copying sensitive files to USB keys. But the subtler nuances can escape even the most sensible workers. Does the receptionist know not to give out the names of people working on sensitive intellectual property projects to callers?

This technique was used in the second world war to great effect. We may not want to cover our corporate corridors in posters with slogans like ‘Careless talk costs lives’, but there are other ways to achieve our goals. Custom login messages with ad hoc reminders (‘When it comes to passwords, sharing isn’t caring!’) can help to subtly remind employees of their duties.

Innovation is key here. Printing up a few hundred coffee coasters is a cheap and fun way to get such messages out. The truly imaginative company might even develop a character to help make the point. Doctor Seuss’s Private SNAFU cartoon character drove home the consequences of irresponsible behaviour during WWII. A modern version could be used to demonstrate security responsibilities, alongside other values such as customer service, and attention to detail.

Before any of this can have a real effects however, organisations must remember the most important aspect of employee responsibility: buy-in. To truly accept responsibility for corporate security, an employee must feel both committed to the cause, and empowered to execute.

Buy-in involves communicating the ‘why’ at least as much as the ‘what’. Telling your receptionist that she shouldn’t give out key employee names will be ineffective unless she knows why. Showing her how a corporate spy can use such information to socially engineer sensitive data from the company will help her to understand the importance of her role as corporate gatekeeper, and inspire her to do everything with security in mind.

This is only the start, however. The truly committed CIO will realise that giving employees a sense of responsibility extends beyond IT. To truly want to protect a company, rather than merely paying lip service to rules in a company handbook, an employee must feel a personal stake in that enterprise.

They must be inspired by where they work, and by what they’re working for. That level of commitment takes a cultural, employee-centric shift involving the whole board, and every line-of-business manager in the hierarchy.

It takes the concept of personal responsibility for the good of the company and communicates it boldly across the entire corporate culture. As CIO, with a mission to partner strategically with the rest of the organisation, you can take responsibility and get the ball rolling.

Garry Sidaway is director of security strategy at Integralis

Pic: nlewis039cc2.0