How to get employees security engaged

Engagement is more than just knowing what to do, but being committed and enthusiastic about doing it right.

Employee engagement is a hot management topic these days. One reason it's top of mind is that recent studies show many employees are simply not very engaged at work.

Gallup, the research and polling company, tracks employee engagement globally. In January, Gallup reported that in 2015 only 32 percent of U.S. employees, and 13% of employees worldwide, were engaged in their jobs, meaning they were "enthusiastic about and committed to their work and workplace." The fact that two thirds of employees lack commitment and passion on the job has serious implications for business strategy and execution.

Now consider, given this lack of employee engagement, how hard security training, awareness, and culture (STAC) professionals have it. STAC teams are constantly challenged to improve the priorities, behaviors, and decisions people make regarding information security. That's a tough job. Even when STAC programs are well-funded and enjoy executive support (many have little of either), getting people to care about security, to be engaged in protecting corporate IT assets, is a tall order. If most employees don't care that much about their own jobs, it shouldn't be a shock that they have a hard time caring about the security team's job as well.

[ ALSO ON CSO: Ever been in these social engineering situations? ]

This lack of security engagement may even drive insider threat narratives that are so popular today within the industry. In my experience, security professionals are more engaged in their jobs, more passionate about what they do. So I can see how apathy in non-security employees might be interpreted as negligence or even maliciousness. But that's a dangerous mistake to make. "You can't patch stupid" may strike security professionals as funny, or even accurate, but the attitude is self-defeating in the end, and a poor strategy for winning hearts and minds.

Lessons from employee engagement research

Research into employee engagement has a lot to offer security programs and security awareness teams. By looking at what drives employee engagement in general, we can uncover clues and insights to help us better engage people specifically in cyber security.

A 2015 study in the MIT Sloan Management Review found five dimensions of employee engagement:

  1. Employee satisfaction - employees react positively to their job circumstances and colleagues
  2. Employee identification - employees' emotional satisfaction is tied to the company's success or failure
  3. Employee commitment - employees are willing to do more than the minimum required in their job description
  4. Employee loyalty - employees' attitude about the organization makes them want to exceed expectations
  5. Employee performance - employees strive for higher quality in the goods and services the company produces

There are obvious overlaps between these dimensions of employee engagement and security awareness best practices. Most important are the need for security programs, through their STAC efforts, to foster a sense of identification, commitment, and loyalty in regards to security. Employees should feel a sense of ownership and personal satisfaction around having good information security, not just see security as policies they must obey. Security programs must also foster more employee satisfaction and better performance. If employees don't feel like the security team cares about them, or gives them the tools they need to perform their jobs securely and effectively, then how are they supposed to feel the sense of ownership for security that is necessary for a strong security culture?

people car racing pit US Army (CC 2.0)

Towers Watson, a consulting firm, conducted a global workforce study, which identified five top drivers of sustainable employee engagement:

  1. Leadership that is effective, consistent, and earns employee trust and confidence
  2. Goals and objectives that are well understood, widely communicated, and appropriately supported to ensure success
  3. A work/life balance that is suitable for managing stress and supporting employee well-being
  4. A positive organizational image and a public reputation for honesty and integrity
  5. Management communication that is respectful, clear, and encouraging

Unsurprisingly, I tend to see these drivers in more innovative STAC programs today. In these organizations, awareness has top-down support and adequate resources. Clear goals are set, knowledge and skills are communicated effectively, and security training helps employees with their home and family lives, not just work. The result is usually a workforce that is much more engaged in the practice of good security.

Finally, an in-depth UK Government study reported four enablers of employee engagement:

  1. Strategic narrative - strong executives with a compelling, empowering story about the organization and its future
  2. Engaging managers - managers that act like coaches, focusing on their people as individuals, giving them direction and objectives, and encouraging them to stretch themselves
  3. Employee voice - employees who are respected as the solution, not the problem, and invited to give thoughts and opinions which are listened to and acted upon
  4. Integrity - an organization where values are reflected in how people actually behave, with no gap between what people say and what they do

The UK study offers some particularly good insights for security engagement. When I see STAC programs fail, they have usually violated several of these principles. Some are "check the box" programs driven by compliance requirements, with no strategic story. Others use generic content and techniques to deliver homogenous training to every employee, with little individual focus or creativity. Some programs can be quite condescending towards the people they are supposed to be engaging, insensitive to the challenges everyday users face, or the tradeoffs people must make between security and other priorities. And in some security programs, unfortunately, security awareness requirements change for different people, often based on their position in the org chart. Double standards rarely foster commitment and engagement.

As you consider your overall cyber security strategy, think about the value of security engagement and culture. Is the goal to just make people aware of security risks and requirements? Or is the goal to engage people as security partners, as committed and enthusiastic as you are?

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)