Chief Information Security Officer Bob Bruns leads Avanade‘s client data protection, incident management and asset protection.
As security leaders, we know that our employees are our biggest assets, but also one of our biggest risks. One inadvertent click within a malicious email and we could be staring down a ransomware attack. Employees, however, can also be valuable members of our team, a frontline defense that helps protect our data and our company from online intruders.
My company’s leadership team and I have made it a priority to include our company’s employees as part of our strategic planning, and for good reason. Global employees are moving fast, and their days are packed with their own responsibilities, whether they are in an office, working remotely or at a client site. That’s why leadership teams must work hard to convince employees that partnering with them is worth their time and effort.
To do that, you have to earn their trust.
Trust: A Two-Way Street
In the context of security, there are two types of trust: trust that our actions will be predictable, and trust that we have employees’ best interests in mind. To turn employees from company bystanders to security advocates, both are important.
Three components, in my experience, are necessary to win employees’ trust:
1. Be transparent. Share what you are doing, why you are doing it and how any program or change will be deployed. To build trust, it is important to tell people what you are doing before they find out on their own. For example, we collaborate on data privacy issues with employee groups and work councils in the countries in which we do business. Because we have built a history of openness with them, they know they can both predict and trust that we will do what we say and act in ways we believe are in people’s best interest. There will always be occasional friction and the company’s goals may be different than any one person’s, but be committed to working through those with honesty and good intentions.
2. Be flexible. One of any security organization’s biggest challenges is to strike the right balance between enabling employees and protecting the company and its operations. Each company’s balance point will be different and finding that right balance for a particular business is a big component of building trust. You don’t want to tighten security so much that people lose productivity, but you have to tighten it enough to make sure your organization is secure.
There may be times when, despite your best efforts, you get the balance wrong and have to reassess the benefits of a security program compared with the consequences for employees. We encountered this at my company when we first began building “bring your own device” protocols. The good news is that, by working closely with groups around the company, we were able to find an approach that worked for everyone.
3. Reach out. Anywhere you look in our company, employees should be able find security leadership. Management reviews and a cadence of all-employee communications are just the start.
Because my company is a technology company, for example, we brief our security and technology employee groups at their monthly meetings. We take advantage of our company’s early adopter program; about 10% of the company has opted in to get the latest technology first and provide valuable input into pilots, proofs of concept and more. Almost every security item also goes through that group first.
Communicating what you are doing helps your security organization, as well. Just like with our “bring your own device” example, not only can you get technical feedback from your technology communities, you can also make sure you understand the potential impact of what you are doing on users across the company and adjust your approach, if necessary.
Call On The Experts
To be sure you are communicating effectively to all our different audiences, partner with your change management organization and follow their advice. Today, in addition to seeking out opportunities across the company for security conversations, you should:
• Use an informal tone to talk about security in the most relatable way possible, incorporating humor and gamification whenever possible.
• Avoid stereotypical militaristic language. Instead of a battle against evildoers, seek a partnership to keep all of us and our company safe.
• Identify a behavior you would like people to adopt or change and then build a communications campaign with a theme that catches their attention and stresses its benefit to them.
• Emphasize that employees are essential to our success: “We are here for you, and we need you to help us.”
Not every company will have a change management group to call on, but we all can benefit from developing close partnerships with our employees. How do you build trust within your own organization and how does it benefit your security programs?
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?