Some enterprise security tactics can backfire, pitting IT and security teams against the employees they’re trying to protect.

Josh Yavor, CISO, Tessian

April 8, 2022

4 Min Read
Wooden figure pushes a rock labeled "Nihilism."
Source: GoodIdeas via Alamy Stock Photo

When it comes to staying safe and secure in our digital worlds, sometimes it can feel like giving up is the only choice. This idea of "security nihilism" isn't new. Security teams have always faced incredibly challenging problems while trying to enable safe and trustworthy experiences across all the technology we use. It can be a difficult trap to overcome for security practitioners, but it's even more dangerous when employees start to feel it. Security nihilism creates new and worsens existing problems that put a company's data — and the employees who are stewards of that data — at risk.

Unfortunately, security and IT teams can inadvertently cause a sense of security nihilism. Some enterprise security tactics, while well-intentioned, can end up pitting IT and security teams against the employees they're trying to protect. Strategies that rely on scare tactics, that shame employees for making mistakes, or that overwhelm employees with information can lead to frustration and a lack of engagement. Worse, they can cause people to just give up. If breaches seem to be inevitable and getting security right is so difficult and burdensome for employees, why bother?

Security teams must take accountability for keeping employees engaged. It's time to shift the message to empower employees and create a culture where everyone is on the same side. Here are three steps toward that goal.

1. End "Gotcha"-Style Tactics That Shame Employee Mistakes
Blaming or shaming employees who make mistakes is counterproductive and can lead to security nihilism. Employees can get discouraged and give up, or they won't tell security teams when they receive a phishing email or click on a malicious link. Employees are not part of the problem; they're part of the solution. Security teams can't respond to a threat or a breach if they don't know about it, which means employees are important allies in safeguarding company data.

"Gotcha"-style phishing tests are a good example of this problem. One such test involves emailing all of a company's employees with information about a holiday bonus. The people who click the link are "punished" with more cybersecurity training. Tactics like this create an adversarial dynamic instead of uniting employees, security teams, and IT teams under a shared goal of keeping the company secure. Accountability must shift from employees to security teams. It's unreasonable to expect every employee to be a security expert while trying to do their jobs. The narrative needs to change from blaming employees to asking why they were in a position to make a mistake in the first place.

2. Use Positive Incentives to Combat Security Fatigue
Rewards are far more effective than punishment. Positive incentives can help combat security nihilism, keep employees engaged, and cement a partnership mindset between security teams and employees.

Examples of this can be seen on the consumer security side and have worked well. Epic Games rewards users who enable two-factor authentication on their accounts by giving them new emotes (a dance move or other action you can take in the game Fortnite) and items for their characters. The company recognizes that it has a responsibility and an opportunity to combat end-user security fatigue and add some fun to consumer cybersecurity, which is often negative or overwhelming.

Positive incentives can be provided when employees spot a suspicious email, complete a training, update their password, or admit to a mistake such as sending sensitive data to the wrong person. Organizations don't have to commit a lot of resources to this; recognition and stickers go a long way.

3. Take the FUD Out of Security Awareness Training
Security awareness training has gained a reputation for being boring and irrelevant. It's tempting to use fear, uncertainty, and doubt (FUD) to get employees to pay attention, but a more effective approach involves individualized training that celebrates security wins.

Rather than quarterly, check-the-box training for the entire company, training should be tailored to smaller groups or individuals using relevant, contextualized scenarios. For example, the training for a new remote employee on the sales team could use real-world phishing techniques that commonly target that type of employee. The focus should be on what an individual employee needs to accomplish to detect and prevent security threats and practice safe behavior.

This kind of training also should share and celebrate accomplishments, such as when an employee flags a suspicious request. Highlighting wins and successful outcomes in the face of security risks reinforces the engagement and behavior from employees that are critical for company-wide success.

Security Doesn't Have to Be Scary
One of the major roadblocks to protecting company data is security's association with punishment, fear, and difficulty. People tend to ignore or avoid things that are hard and scary, or they simply shrug their shoulders and say, "Who cares?" This nihilistic mindset must be addressed, and it's up to security teams to counteract it.

A better way forward involves creating an environment where employees can do their work while avoiding security risks. Bring them into the fold by rewarding wins, taking the shame out of mistakes, and creating training that celebrates employees as crucial to safeguarding an organization.

About the Author(s)

Josh Yavor

CISO, Tessian

Josh Yavor is CISO at Tessian, leading information security, threat intelligence, and security research. Most recently he served as CISO for Cisco Secure and led cloud security for Duo Security, with earlier stops at Facebook, Oculus, and iSEC Partners. Josh is an aspiring woodworker and recovering middle school teacher.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights