Cybersecurity Should Be Making Your Organization More Awesome

How to get more interesting outcomes than simply reducing cyberattacks

B Y B E N J A M I N E D E L E N

Cybersecurity programs are missing out on big opportunities to make their organizations more awesome. Security is generally seen as a necessary evil—spend a lot of money and impose frustrating limitations on everyone to prevent high-publicity data breaches, theft, and hacks. But our cybersecurity programs can do so much more to benefit the organization.

Here are some suggestions (in order of effort) for leaders to tweak their cybersecurity programs to get more interesting outcomes than simply reducing the frequency and damage of cyberattacks. Outcomes like increasing the likelihood that innovation and digital transformation initiatives will succeed, facilitating new lines of communication, and bringing fun and play into otherwise unpleasant topics are well within reach.

Every organization needs an established cybersecurity program. Depending on the size of your organization, your “security program” could be a team of 20 or a quarter of the attention of your only IT person. If you lead an organization that does not have a security program, the first recommendation is to start one right away.

Create a Respectful Environment for Reporting Security Problems

Your cybersecurity program should consider collaborating with the IT service desk to create a culture of respect for people who report cybersecurity issues and mistakes. Employees are acting courageously when they contact the service desk to admit they clicked a link, replied to a scammer, or entered their credentials on an unsafe webpage. Employees who do this are living the values of their organization, and the information they provide is an essential input for your security program. If employees are shamed or ridiculed instead of being treated with respect, they are being trained to conceal security problems.

At the City of Boulder, we set a standard that employees will never be ridiculed for making mistakes, that we show appreciation for employees who demonstrate courage, and that our only goal when people call us with cybersecurity issues is to help everyone recover gracefully.

If you are not confident that security problems can be reported in a safe, respectful environment, you should consider asking your security program leader to sit down with the IT service desk team to create a communication standard to address this. This work can be completed in a couple of hours and can result in a radical shift in trust between your IT service desk and employees.

Your cybersecurity program can expand on this work by creating other reusable processes with the IT service desk team. Examples of important security processes to get right include handling requests to quickly purge phishing messages from the email system, vendor remote access requests, and requests for local administrator account privileges.

High-Quality Communication and Training

Talking about cyber risk is unpleasant to many people. Nearly every organization is required to provide employees with periodic cybersecurity training and notify employees of the kinds of dangerous messages that are showing up in their inbox. Security programs often take the path of least resistance by re-sending newsletters and asking staff to go through generic staff training modules.

If a security program seeks to develop employees who can skillfully protect themselves at work and at home, those employees will have to be provided with high-quality educational material. Email updates, articles, and training that connect with people by incorporating humor, real-world examples, and inclusive language is essential.

At the City of Boulder, we develop branding for our security and technology communications so they are consistent, trustworthy, and occasionally hilarious. We include watermarking in our emails so that employees know they are authentic. We know that this works because when we forget to include the watermark employees let us know immediately!

Our security and training programs collaborate to develop our own cybersecurity training for employees. We film video content for the trainings with a “super spy” theme. That makes our faces recognizable to employees we have never had the chance to meet.

We try to make our trainings as playful as possible. In our most recent all-staff security training, we asked employees to consider what they would do if they found a USB key that had the words “puppy secrets” written on the side. “Puppy secrets” is now an inside joke that I have laughed about with people from every single department.

Your security program should be having a positive influence on the culture of your organization. If you are not seeing these outcomes, here are some ideas on how you can set different expectations to help the security team improve. Consider asking your security program leader to develop a brand and find creative ways to use that brand to increase the quality of their communication and training.

Employees should receive engaging and relevant messages on subjects like recognizing phishing emails and password management. Employees should also be asked to take cybersecurity training on a regular basis, adding up to at least an hour or two of mandatory training per year. Training should incorporate humor, mixed media, and information about how people can protect themselves at work and at home. Otherwise employees will take the training by hitting the “next” button as rapidly as possible.

Watch Your Organization’s Back So It Can Innovate and Digitally Transform

The COVID-19 pandemic has created major technology challenges for all governments. Everyone is scrambling to rapidly transition their employees to remote work, and to transform traditional in-person government services into digital services wherever possible. Many organizations are recognizing that these changes reflect the digital transformation initiatives that they have been working on for the last several years, now with a compressed timeline.

These conditions have resulted in more cyberattacks and a complex environment to protect. As a result, cybersecurity programs might attempt to use their influence to slow down transformation initiatives and ask that innovative ideas be deferred until a more stable time. This approach will result in a security program that does more damage to the organization than it prevents.

Security programs leaders are encouraged to learn about their organization’s services and be ready to support those services in new ways. Cybersecurity exists to serve the business and operations of the organization, not to be performed for its own sake.

To determine if your security strategy is aligned with the needs of your organization, meet with your security team and ask the following questions:

• Have you taken the time to learn about how our departments operated before the pandemic? Do you have a plan for helping them safely present more of their services digitally?

• How is the security program aligned with the organization’s vision and values?

• Instead of buying more tools, are we taking full advantage of the security platforms in which we have already invested?

• Have you worked with the attorney’s office to make sure our contracts include security standards for our vendors?

• Have you worked with risk management to make sure we have adequate cybersecurity insurance coverage and we know how and when we will consider activating that coverage?

Leaders can expect more from their cybersecurity programs than the reduction of cyberattacks. The ideas presented here are just a few examples of the benefits of a cybersecurity program that builds relationships, incorporates play, and is aligned with the whole organization. If you keep these suggestions in mind, you will see a shift in your people’s willingness to participate in a culture of protecting each other, and in your organization’s overall resilience.

We set a standard that employees will never be ridiculed for making mistakes, that we show appreciation for employees who demonstrate courage, and that our only goal when people call us with cybersecurity issues is to help everyone recover gracefully.

BENJAMIN EDELEN is the chief information security officer of the city of Boulder, Colorado. Benjamin’s program protects the city and through risk management, a people-first security culture, and by getting the basics right. Benjamin holds a bunch of professional certifications, actively presents at government and cybersecurity conferences, and is grateful for the opportunity to make a difference. (edelenb@ bouldercolorado.gov)