Educate Your Team— Do not chase when it comes to security!
‘‘‘Hey, Could you please complete the security training, it was due two days ago?’’
“Hey, this is a kind reminder to complete the access review?”
“Hey, could you please do this? Do that? blah blah blah”
You must have received a lot of emails like this, or worse, you might have written a lot of such emails.
You might have raised it with your seniors as well and I bet this is what you have got in response —
“You have to chase them!”
I mean seriously? It was one of the reasons I thought of leaving all my previous jobs ;)
There is no harm in writing reminder emails, a couple of times. It’s human nature to forget things, procrastinate and maybe not feel like doing it immediately. It’s completely Okay.
But when it comes to security, this should not be the default case. Especially when you are dealing with the weakest link in the security i.e. human. A couple of emails are okay, but not more than that. You can never build a security culture chasing people.
why?
We can agree with this statement that everyone is responsible for security, not just the information security department. Information Security department can govern, share the best practices, implement the controls, and conduct awareness but in the end, it is up to the end user to not click on the phishing link, to report the incident as soon as possible, to report if a new asset is created and so on. A lot of reminder emails and keeping a track of follow-ups can lead to email fatigue and inefficiency. I agree everyone is busy and has their fair share of tasks to do but the question is, chasing them can really get the work done? No, at the best, it will irritate them.
what do we do?
It’s self-awareness that goes a long way and prevents resources from sending and receiving reminder mails fatigue and keeping a track of follow-ups. I believe the best way to build a security culture is not by chasing but enforcing an understanding of security and responsibility. The best way to do this is to lead by example. I understand that senior management’s and executives’ time is most valuable and these might be low-priority tasks for them. But if they can accommodate these requests in their schedule within specified deadlines, it will send a positive message to the entire organisation. When you are leading a team, be you a CEO, CFO, CISO, VP, manager or team lead, your actions inspire the people you are leading. Instead of assuming them to follow the process, show them the process by following it, and talking about it strictly. You being lenient makes everyone in the team lenient.
It is not an overnight solution but this top-down approach can certainly be an effective solution in the long run.
“A lot of reminder emails, chasing people can get the work done if you just want to be compliant, it’s inefficient if you want to build a security culture.”
Thanks for reading :)
