Fredrick "Flee" Lee is CISO at Gusto, a cloud-based payroll, benefits, and human resource management software provider. Along with his fun-sounding nickname, he has a playful view on how to get organizationwide buy in on security: Get people to fall in love with the security team.
"The key to building and instilling a security culture within an organization is to make security lovable," Lee says. "Security can't hide behind their hoodies, so to speak. Security should be the most approachable team in the room so that other teams within the organization want to actively engage with [them], instead of skirting around [them]."
Security is serious, Lee explains, but you want your security team to be approachable — to be seen as the helpers, he says. Nail that and suddenly security isn't seen as a roadblock or barrier; it's the team who's going to go out and find solutions to securely enable products and features that weren't possible in the past.
At Gusto Lee says he accomplishes this by conducting security team-building and offsite activities with colleagues from other teams, and by having an open-door policy and office hours so anyone, from any division, can feel welcome to approach with questions. He also offers lab-based training for developers.
"You don't get someone to fall in love with a sport by throwing the rule book at them," Lee says. "You let people experience it. At Gusto, we've implemented lab-based training with an emphasis on collaboration. Our security pros don't go up to a whiteboard and dictate what to do to developers as a lecture. Instead, we create learning modules that enable developers to think like hackers. We let them wear the hoodie, so to speak. That way we create champions and evangelists who get their teams excited about security."
Lee also makes sure to keep his security folks visible year-round by seating them among the teams they support.
"That way they're viewed as part of the team, instead of a compliance layer," he says.
Next Stop: Cybersecurity Utopia?
Jon Check, too, sees the need for security to be personable. The senior director of cyber protection solutions at Raytheon Intelligence, Information and Services has been working lately on educating others about what he calls "Cyberlandia" – the optimum state of cyber readiness featuring happy employees who feel empowered and energized to face whatever threats are thrown their way.
"A healthy, positive workplace culture is an organization's greatest cybersecurity deterrent," Check says. "Instead of taking a reactive stance to adversarial threats, corporations should invest their time, budgets, and energy into a crucial asset that isn't often discussed: a corporate culture rooted in employee well-being."
A people-first approach to designing security is the first step to reaching Cyberlandia, Check says. It requires a soft touch when communicating with employees.
"Given the sensitive work within the cybersecurity sector, there are always high-stress and high-risk discussions in the workplace," he says. "An effective manager will strategically disclose this information to those who need to hear it, knowing that misplaced information could cause undue stress across the office."
Speak Softly – and Lose the Big Stick
Indeed, the soft skills of communication are essential to building security culture, says Geoff Belknap, CISO at LinkedIn. But while the security team doesn't want to instill fear and scare people into secure behavior — that isn't effective, Gusto's Lee says — it is still essential to be honest and frank about what's at stake when it comes to risk mitigation.
"I do think there's an interpersonal element of security culture that can get overlooked. Historically, security teams have taken on the 'policing' role in an organization — enforcing security practices and emphasizing the negative consequences of mistakes," Belknap says. "The problem with this mindset is that it creates an adversarial dynamic of ‘us versus them,' when in reality, security affects the entire organization and should be everyone's responsibility.
It's all about creating a security-aware culture, he adds. As part of that, it's critical for security teams to convey why security is a priority for everyone using language that employees from all levels of the organization can understand.
"Avoiding jargon or falling back on 'that's just the way it is' when you're explaining things will go a long way toward fostering understanding throughout the organization," Belknap says.
- How to Build a Rock-Solid Cybersecurity Culture (Part 1)
- 'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training
- You Gotta Reach 'Em to Teach 'Em
- Securing DevOps Is About People and Culture
(Image: Leigh Prather via Adobe Stock)