The mere suggestion that employees should be given greater autonomy on cybersecurity decision-making would send a shiver down the spine of many C-suite executives. If anything, IT security procedures often revolve around keeping a close eye on employees to ensure they are always doing the right thing. But is such routine micromanaged security truly as effective as it is made out to be?
Micromanaging security is expensive in terms of the time and resources required. Worse still, it does not always deliver the degree of compliance desired. Is it perhaps time enterprises adopted a more trust-based approach?
That doesn’t mean an “anything goes” policy. Rather, it’s about empowering workers to leverage their knowledge, experience, and sense of judgment to make the right security decisions. After all, you cannot have security procedures that address every threat imaginable. Staff that can think on their feet are certainly a valuable asset.
Giving your employees more cybersecurity decision-making leeway requires a fundamental shift from the traditional approach. The new model would be one underpinned by the training and educating of your staff. That will make them bulwarks against cybersecurity threats.
Here’s a more detailed look at why employee empowerment is the way to go.
1. Increased automation in security controls
Today’s organization is heavily dependent on technology. This dependence on tech is only bound to grow. In fact, one of the hottest conversations at the moment is on how the transition to artificial intelligence and machine learning will see the loss of employment around the world. So it’s not hard to envisage how, when it comes to IT security, many controls can be coded or configured into the system.
Think about password rules (minimum number of characters, the mixture of alphanumeric characters, the inclusion of at least one symbol, not repeating your password for at least six months, etc.). Many companies have rigorous technological controls that automatically force employees to conform to security policy and procedure.
By depending on technology to enforce the most important rules and prevent the most catastrophic risks, organizations can be a lot less overbearing on their employees.
A universal principle of team dynamics is that people are more likely to be committed to a cause if they feel they are an active contributor in the decisions that guide the process and determine outcomes. In other words, just getting a manager to ram company policy down their throats and demanding each worker comply without explanation isn’t an effective way to get everyone on the same side.
By sharing the principles of cybersecurity with staff and giving them some freedom in every day cybersecurity decision-making, employees will feel a greater sense of personal duty in protecting the organization’s systems and data.
3. Thinking out of the box
Organization procedures are meant to minimize risks by ensuring all employees follow a consistent and predictable process. While this does help a great deal in keeping everyone on the straight and narrow, it can also be counterproductive. Procedures can stifle thought and imagination. No procedure can fully cover every conceivable scenario.
Every cybersecurity procedure leaves some room for discretionary cybersecurity decision-making. It’s better to prepare employees with the knowledge and power they need to make such discretionary decisions when they do arise. Don’t leave it to when the incident occurs for them to try and figure out if they should do anything and what it is they should do.
4. Evolving technology and environment
No organization operates in a static environment. Every week, month, and year, there are changes to the legal, commercial, and technological environment that the business operates in. To keep up with these changes, many large corporations schedule a procedure review every six to 12 months. It may seem like a long time but given the number of changes that are likely to have taken place over that period, it makes sense to update them at one go.
But what this six-to-12-month window between updates does is to give room for failure due to employees following procedures that may not be relevant to the current operating environment. By giving employees greater autonomy, they can take the fairly commonsense decisions needed to take these changes into consideration even before policies and procedures are updated.
They are also more likely to bring to management’s attention changes that necessitate an immediate alteration to procedure so as to mitigate serious risk.
5. Employee character and knowledge is more important
Procedures are there to make sure employees are doing the right thing all the time. However, procedures and controls can be overrated.
While the risk of getting the sack due to violating procedure is a valid deterrent, it will not necessarily prevent a wayward employee from finding their way around them so they can do wrong. An employee could very well do the wrong thing but one that’s technically within company procedure.
Instead, organizations should prioritize nurturing and encouraging ethical behavior at all times irrespective of what the procedures may demand.
It’s impossible to gauge an employee’s true character from just an interview. It will probably be weeks or months after hiring when you’ll know what they stand for. Companies can give greater cybersecurity decision-making to individuals who prove to be trustworthy.
Of course, for this kind of freedom to make sense, it has to go hand in hand with thorough training on IT security regulations and best practice so the employee makes informed decisions.
6. Demystifying tech
Many employees see InfoSec and IT security as fields that are too technical for mere mortals. They are therefore more than happy to leave the responsibility of thinking through appropriate cybersecurity controls and procedures to the geeks.
In reality, though, the logic that drives the procedural and technological controls that prevents system failure and data loss is fairly easy to understand for the average employee. Only a small proportion are truly deep and complex concepts that are hard for everyone else to understand except hardcore techies.
The ubiquity of technology and the Internet in everyday living has given nearly every adult some basic knowledge of technology. The average person has interacted with a home computer, smartphone, smart meter, and a growing ecosystem of gadgets that are part of the Internet of Things. Many of the security and privacy precautions one would take at home aren’t too different from what they would be expected to do at their workplace.
Giving employees greater decision-making power on this basis can help demystify workplace tech. It gets workers to consider themselves a pillar in the protection of enterprise systems and data.
Cybersecurity decision-making: A boost to your employees
Few things raise a person’s self-belief, motivation, and enthusiasm more than positive affirmation from someone with authority over them. Greater cybersecurity decision-making autonomy can be a positive for an institution’s overall cybersecurity goals. Of course, there’ll always be instances where an employee willfully or inadvertently does wrong. Such instances are however not numerous enough to negate the substantial benefits that come with a knowledgeable empowered workforce.
Featured image: Shutterstock