Remote work during the pandemic has meant that organizations had to quickly ramp up their cybersecurity efforts. But securing remote work isn’t just the job of the IT team: Ultimately companies need to make security part of every job description. And the key ingredient to make that happen is trust. The author, the global chief security officer at Box, identifies four steps to enhance trust within an organization: 1) Lead with empathy; 2) Empower employees to make effective decisions; 3) Define what matters most; and 4) Honor the distractions.
As remote work continues to be a pillar of our new normal, organizations are realizing that the security environment has dramatically changed. Securing remote work isn’t solely the job of the IT team, however — it also requires trust. Senior leadership needs to be able to trust from the beginning that their teams have secured systems for remote work. Customers need to trust that their data is protected. Employees need to trust that there are systems in place to support them.
To get it right, companies need to weave trust throughout their entire ecosystem and make security part of every job description. In my work as a global chief security officer at Box, I have identified four steps that business and technology leaders can leverage to enhance trust among the people, processes, and platforms that contribute to secure remote work.
Lead with empathy.
We live in an imperfect world, and fundamentally, trust is all about people. The most effective way to enhance trust throughout your ecosystem is to acknowledge that it will always be a work in progress.
In my experience, the most effective way to build trust is to listen, learn, and lead with empathy. When people tell you that security protocols are difficult to follow, don’t lecture them — seek to understand and find adoptable solutions. Encourage people to speak up about mistakes, and reward proactive behavior. Trust within an organization multiplies when it is generously and wisely given, and when people feel heard.
Empower employees to make effective decisions.
Unfortunately, some aspects of security practice have earned a bad reputation over the years, as well-meaning IT teams implemented security solutions that placed barriers between people and the information they need to do their job. The fact is, people will find a way to work around security measures that don’t align with their business needs. As long as end-users see security as something that gets in the way, we will always face unnecessary risks. Effective security comes from having tools and solutions that are easy to implement and follow.
My philosophy is that the best security solutions are built in, not bolted on. This means giving employees guideposts to facilitate their decision-making without stifling their productivity and trusting them to succeed. Technology can help us achieve this, such as using AI-driven tools that can automatically apply security classifications to different data types. But the goal is bigger that the tool: The point is to seamlessly integrate security into workflow processes without imposing new hurdles.
Investing in frictionless security solutions creates a sense of ownership and accountability among users for the content that they create and share. This helps individuals realize that they’re bigger than just their title in a company, which grows the trust ecosystem.
Define what matters most.
Part of any trusting relationship is knowing what’s important. Not everything in an organization needs to be as secure as a bank vault. Taking a one-size-fits-all approach to security has never been economical or purposeful, even before Covid-19 changed our work environments.
In every organization, different types of data hold various degrees of security importance. Whether it’s financial information or health care records, leaders need a clear view of what data, if compromised, would do harm to their organization. The appropriate security controls for these crown jewels need to be identified and integrated into workflows with clear lines of accountability, so that the data is protected by both the technology and the people surrounding the data.
By differentiating what’s critical from what isn’t, leaders can successfully maximize the return on their security investments, by preempting problems that could irrevocably damage confidence in their organizations.
Honor the distractions.
Trust is a two-way street. Security professionals know that end-user behavior is still one of the biggest risks to security, but I also believe that, with the right approach, end-users can be the biggest security advocates. Educating users about security threats and best practices is often seen as a “nice to have” that gets forgotten when a crisis emerges. However, this is exactly when security education is needed most. Social distractions have long been a primary threat, and the success rate with attacks is higher when everyone’s attention is diverted elsewhere.
The fact is, workers are more distracted than ever in this pandemic, with many employees working from makeshift home offices, surrounded by families and pets, maybe in multi-purpose environments like kitchens and bedrooms. Yet, these same people still want to make good decisions, and they can be trusted to do so if they have the right support. Developing and communicating clear policies about trusted devices and regularly sharing information about the changing threat environment will help establish and reinforce a strong security culture, even in a changing environment.
Organizations that don’t already have strong education programs don’t need to tackle this alone. They can look at leaders in this space to support them in ways that organically mesh into the culture of learning within an organization.
Why does that matter when securing remote work? Because it creates a work environment full of empowered people who feel invested in the company’s success — which is a trust-based security posture that money can’t buy.