How do you navigate pushback from employees who feel cybersecurity is not their responsibility?
Cybersecurity is a critical aspect of any organization's operations, and it's often assumed that every employee will recognize its importance. However, you might encounter resistance from some employees who feel that cybersecurity isn't their responsibility. They might think it's the IT department's job or that cybersecurity measures are too cumbersome and hinder their productivity. This resistance can be a significant barrier to creating a secure organizational culture.
-
Charwin Vanryck deGrootSenior Security Engineer @Success Academy | Cybersecurity | AWS | Cloud Security
-
Seamus O'ReillyCyber Security Expert | Specialist in Social Engineering & Red Team Penetration Testing | Technical Director | Securing…
-
Abdoulaye .DCyber Security Consultant - Cyber Trust at Devoteam
-
Seamus O'Reilly
Cyber Security Expert | Specialist in Social Engineering & Red Team Penetration Testing | Technical Director | Securing Organisations Against Advanced Persistent Threats
In my experience, effective cyber security begins with education, emphasizing the clear impacts to all. Data breaches can severely impact a company by: - Job Losses: Breaches can lead to financial losses, forcing companies to cut costs and resulting in redundancies. - Legal Issues: Companies may face fines if sensitive information is compromised. - Reputation Damage: A breach can break customer trust and brand reputation, resulting in lost business and long-term damage. Treating people like adults by highlighting the true cost reinforces the understanding that cyber security isn't just an IT issue but everyone's responsibility. Knowing that my efforts make a real difference in protecting people's livelihoods, is a strong motivator.
-
Abdoulaye .D
Cyber Security Consultant - Cyber Trust at Devoteam
To overcome the reluctance of employees who feel that cybersecurity is not their responsibility, several approaches can be effective: Education and awareness: Organize regular training sessions to explain cybersecurity issues and the possible consequences of a security breach. Use real-world examples and case studies to illustrate the real-world impacts of cybersecurity breaches. Clear communication: Establish clear communication about the importance of cybersecurity and the shared responsibility of each employee. Explain that cybersecurity is not just a technical issue, but also concerns daily behaviors and best practices.
-
Charwin Vanryck deGroot
Senior Security Engineer @Success Academy | Cybersecurity | AWS | Cloud Security
Aside from formal training programs, it's important to create a culture where learning about cybersecurity is part of everyday work life. Encourage everyone to stay updated on the latest threats and best practices by subscribing to cybersecurity newsletters and attending webinars. Organize regular team meetings where staff can share recent findings or discuss new threats they've read about. Having a mentorship program can also be incredibly valuable; experienced cybersecurity professionals can guide and support newer team members. This not only helps everyone stay informed but also builds a strong, supportive network within your team.
-
Franko Janku
Penetration Tester at Silensec || Red Team Consultant at CYBER RANGES
Effective cybersecurity indeed begins with education. Ensure that all employees understand the risks and consequences of cyber attacks by making the information accessible and relevant. Avoid technical jargon and instead focus on how data breaches can impact the company, such as job losses, legal issues, and reputational damage. Highlight that cybersecurity is a shared responsibility and that their actions play a crucial role in protecting the organization. Regular, relatable training sessions can help reinforce this message and encourage proactive behavior.
To navigate pushback, engage employees in the cybersecurity process. Create opportunities for them to voice their concerns and suggestions. This can be done through regular meetings, suggestion boxes, or anonymous surveys. When employees feel heard and involved in the decision-making process, they're more likely to take ownership of cybersecurity practices. Recognize and reward positive security behaviors to further encourage engagement and accountability.
-
Charwin Vanryck deGroot
Senior Security Engineer @Success Academy | Cybersecurity | AWS | Cloud Security
Beyond the technical measures, creating a strong sense of community and teamwork can really boost engagement in cybersecurity practices. Organize fun and interactive events like Capture the Flag (CTF) competitions or hackathons, where employees from different departments team up to tackle security challenges. These activities make learning about cybersecurity exciting and help everyone feel like they're part of a bigger mission. By encouraging collaboration in a relaxed and informal setting, you not only make cybersecurity more approachable but also build stronger relationships among team members. This way, everyone feels more connected and committed to keeping the company safe.
-
Seamus O'Reilly
Cyber Security Expert | Specialist in Social Engineering & Red Team Penetration Testing | Technical Director | Securing Organisations Against Advanced Persistent Threats
Navigate pushback in cybersecurity initiatives by actively engaging with employees. After implementing a new password policy, employees found it cumbersome, which led to poor take-up and adherence. The fault was mine; I did not listen to the people who, day-to-day, would be forced to use 16+ character passwords with a mix of uppercase, lowercase, special characters, and numbers. By listening to their concerns, I revised the policies to balance security and usability. This not only improved compliance but also made employees feel heard and valued. The employees also became proactive in their cybersecurity practices, and our organisation's overall security posture improved significantly.
-
Franko Janku
Penetration Tester at Silensec || Red Team Consultant at CYBER RANGES
Engaging employees in the cybersecurity process can help navigate pushback effectively. Provide opportunities for them to voice concerns and suggestions through regular meetings, suggestion boxes, or anonymous surveys. When employees feel heard and involved, they are more likely to take ownership of cybersecurity practices. Additionally, recognizing and rewarding positive security behaviors can further encourage engagement and accountability. This inclusive approach fosters a proactive and cooperative security culture.
One common complaint is that cybersecurity measures are too complex and disruptive. To address this, streamline processes wherever possible. Use single sign-on (SSO) systems to reduce password fatigue, implement user-friendly security software, and automate updates to minimize disruptions. By simplifying cybersecurity practices, you reduce the friction employees experience and make it easier for them to comply with policies.
-
Dhia Charef
Team Leader | SaaS | Software Product Manager | 7+ Years of Experience
Navigating pushback from employees regarding cybersecurity responsibilities involves simplifying processes to encourage compliance and understanding. Implementing user-friendly security measures like single sign-on (SSO) systems reduces complexity and minimizes disruption. Automating updates and using intuitive security software further eases adoption. Providing clear, accessible training and demonstrating how these measures protect both personal and organizational data helps employees see the relevance and importance of their role in cybersecurity.
-
Franko Janku
Penetration Tester at Silensec || Red Team Consultant at CYBER RANGES
Addressing complaints about the complexity and disruptiveness of cybersecurity measures is essential. Simplify processes by implementing single sign-on (SSO) systems to reduce password fatigue, using user-friendly security software, and automating updates to minimize disruptions. By streamlining cybersecurity practices, you can reduce friction and make it easier for employees to comply with policies, thereby enhancing overall security compliance and effectiveness.
Ensure that employees have access to the resources they need to follow cybersecurity best practices. This could include easy-to-understand guidelines, regular training sessions, and a dedicated helpdesk for security-related queries. By providing these resources, you demonstrate your commitment to cybersecurity and empower your employees with the knowledge and tools they need to contribute to a secure environment.
-
Dhia Charef
Team Leader | SaaS | Software Product Manager | 7+ Years of Experience
Providing resources is crucial in gaining employee cooperation in cybersecurity. Offer clear, accessible guidelines, regular training sessions, and a dedicated helpdesk for security queries. These resources empower employees to understand and implement best practices effectively. Demonstrating organizational commitment to cybersecurity fosters a culture of security awareness and responsibility, encouraging active participation in safeguarding sensitive data and systems.
-
Franko Janku
Penetration Tester at Silensec || Red Team Consultant at CYBER RANGES
Providing employees with the necessary resources to follow cybersecurity best practices is vital. Offer easy-to-understand guidelines, regular training sessions, and a dedicated helpdesk for security-related queries. By equipping your team with these resources, you show your commitment to cybersecurity and empower employees with the knowledge and tools to maintain a secure environment. This support fosters a culture of security awareness and proactive behavior.
Building a culture of cybersecurity is essential. This means integrating cybersecurity into the core values of your organization. Regularly communicate the importance of cybersecurity and share stories of how good practices have prevented incidents. Encourage leaders within your organization to model good cybersecurity behavior, as their actions will influence others. A culture that prioritizes cybersecurity can reduce resistance and foster a more proactive approach among employees.
-
Derek B. Davis
Cybersecurity Marketing
Building a culture of healthy cybersecurity in an organization requires continuous education and awareness. Regular training sessions should be held to keep employees informed about the latest threats and best practices. Encourage a proactive approach by promoting open communication about potential risks and incidents. Implement clear policies and procedures, making sure they are easily accessible and understood by all. Leadership must lead by example, demonstrating a commitment to cybersecurity. Recognize and reward good cybersecurity practices to reinforce positive behavior. Foster an environment where employees feel responsible for and empowered to contribute to the organization’s security.
-
Franko Janku
Penetration Tester at Silensec || Red Team Consultant at CYBER RANGES
Integrating cybersecurity into the core values of your organization is crucial for building a strong security culture. Regularly communicate the significance of cybersecurity and highlight success stories where good practices have prevented incidents. Encourage organizational leaders to lead by example and demonstrate good cybersecurity behaviors, as their actions will influence others positively. By prioritizing cybersecurity in this way, you can reduce resistance and foster a proactive approach among all employees, creating a more resilient security environment.
-
Seamus O'Reilly
Cyber Security Expert | Specialist in Social Engineering & Red Team Penetration Testing | Technical Director | Securing Organisations Against Advanced Persistent Threats
By integrating cybersecurity into our core values and ensuring continuous communication, we reduced resistance, facilitated collaboration across the organisation, and gained buy-in from everyone. We made cybersecurity a tangible, fundamental part of our company culture. To communicate its importance, we held regular lunch-and-learn sessions and shared real-life stories of how good cybersecurity practices had prevented potential incidents. We rewarded good behaviours and gamified the process for those needing help and support. Most importantly, we invested time to correct the culture we originally built, allowing people to make mistakes and come forward without fear of reprisal or judgment.
Finally, it's important to listen to and address specific concerns employees may have about cybersecurity responsibilities. They may feel that these responsibilities are outside their job description or fear that they lack the skills to comply with policies. Provide reassurance through training and support, and clarify how their role impacts the overall security of the organization. By addressing concerns directly, you can turn skepticism into cooperation.
-
Akram Guediri
Bringing programming and art together | fintech enthusiast with infosec background | student at 42 Heilbronn
One common issue I encountered frequently while working as a pentester, especially with smaller companies, is that developers often assume their application will never be reverse engineered. The reality is, it will be. Frequently, we discover sensitive information commented in the code for "testing" purposes, which can be as critical as a private key. It is essential for developers to always keep in mind the possibility that someone might reverse engineer their code.
Rate this article
More relevant reading
-
Network SecurityHere's how you can use performance evaluation to motivate and engage employees in network security.
-
IT OperationsHow do you foster trust and collaboration between IT operations and cybersecurity teams?
-
Network SecurityHere's how you can retain top talent as a network security manager.
-
Information SecurityHere's how you can effectively hire and manage employees in Information Security as an entrepreneur.