Most organizations would like to have an ingrained culture in which security is considered everyone’s responsibility, so why do employees struggle to trust information security teams within business?Many employees are fearful of information security teams, and this lack of trust leads to security incidents going unreported, and data breaches occurring with no advance notice to the teams that could prevent them.
Can we create a future in which employees feel supported and enabled by security, and not frightened by it? A key piece of developing this trust is through the management of potential insider threats ethically and with empathy.
Tact is Key
In many cases, insider threats are not halted before they happen, as businesses are fearful of wrongly accusing staff and in many cases, companies assume the best intentions of their employees. While having full faith in staff is noble, we must not ignore that insider threats (either negligent or malicious) have increased by 47% in the past twenty-four months, according to the Ponemon Institute.
Though this number is substantial, in all cases, it is of the utmost importance that businesses approach instances of insider threats tactfully and ethically. It is critical that companies do not infantilize employees, as this perpetuates the concept that security cannot be trusted.
A lack of confidence in information security teams will lead staff to avoid speaking up if future incidents occur, or if they notice suspicious activity.
Follow a Documented Process
Develop a written policy and procedure document that details the process you intend to follow explicitly - and then handle each case exactly according to the document. Following a strict process, instead of managing insider threats on a case-by-case basis eliminates unethical bias and ensures compliance. In addition, it reinforces the critical value of integrity, which is a pillar of the information security domain.
Utilize Soft Skills
Individuals in the information security landscape are encouraged to continuously improve their technical knowledge. Though essential for our success as technical staff, this leads us to forget the human element of insider threat. We are dealing with insiders, which are humans and from this, we can infer that soft skills are critical to the evaluation of such threats. Despite the fact that using interpersonal skills when dealing with other people should seem like common sense, it often is not, and our communication and empathy fall to the wayside.
From the beginning to the end of a potential insider threat, effective communication that maintains respect for both the information security staff and the negligent/malicious staff is crucial. It will be impossible to mitigate or address potential insider threats without utilizing soft skills for conflict management. Adeptly interacting with staff means active listening to fully understand the cause of the situation.
Moreover, providing retraining in cases of negligence is often more effective as conflict resolution in the workplace than hostile discipline, and is a constructive way to build trust between information security and staff. This retraining can be accomplished by providing explicit instructions to offending employees how to avoid future security incidents. For example, password sharing insider threats can be mitigated by offering the negligent employee a password safe, or a list of best practices for credential use.
Assess your Audience
When implementing new policies and controls regarding threat and incident management, put yourself in the shoes of a fellow employee. How will they internalize this change? Identify what they have to gain or lose, or what they are motivated by. Conducting a risk analysis is an excellent way to make this assessment concrete. Taking stock of staff members' response to change prior to implementation is a great way to develop trust between teams.
Correspondingly, this empathetic approach of assessing our audience shows respect for fellow employees as part of the change management process. While we are responsible for driving security, we can advance our processes with empathy and respect. Not for popularity or for status, but because trust and integrity are key elements of information security - we are more likely to foster a culture of security awareness if we are empathetic and approachable to those we work with.
Asking staff for feedback on incident management processes, or surveying employees on ways to improve information security standard operating procedures are concrete ways to develop trust through the use of soft skill communication.
While technical skills and knowledge are critical in the information security landscape, it is unquestionably important to remember that insider threats involve humans, hence, we cannot neglect the use of soft skills to manage incidents. Operating with empathy and ethics require us to utilize people skills in order to mitigate incidents, whether malicious or negligent. Soft skills allow us to build trust among staff, something a mature culture of security awareness cannot operate without.
It is in this use of soft skills that we can effectively show employees information security is a function that will support and enable them - a positive strategy we can argue will lead to less insider threats and ownership of security by all employees.