Developing a security-first culture in a hybrid workplace

Padlock in front of laptop - cybersecurity habits
(Image credit: Shutterstock)

Those in cybersecurity have traditionally held the role of maintaining network integrity close to the vest. However, by perpetuating a stereotype that only a select few at a company can handle that responsibility, they are doing a disservice to those of us who believe that building a security-first culture should be a company-wide initiative.

About the author

JD Sherman is CEO of Dashlane.

In a remote, mobile-centric world where everyone in your company is an endpoint, IT leaders must put some cybersecurity responsibility into the hands of the very people who may be the most vulnerable—their employees. We’ve all read about recent cybersecurity attacks against the Colonial Pipeline, the U.S. meat industry, EA, etc. and it proves security issues can happen in any industry. Companies with a security-first culture empower employees at every level of the organization with security tools that make employee’s lives simpler with great UX and supportive training tailored to specific remote user behaviors and skill sets.

To instill a security-first culture in any organization, we must change how we think about security in a corporate sense and influence how every employee implements security in their daily work environment (wherever that may be). Business leaders and IT leaders need to take a step back, acknowledge four distinct improvements to make in their cybersecurity landscape, and take tangible steps to respond accordingly.

1. Recognize that cybersecurity is as much about the people, as it is about technology

The vulnerability among remote users isn’t just malevolent foreign actors or high-tech network hacking schemes; it is human nature. When more than 1 in 3 remote workers admit they feel overwhelmed by the need to keep track of all their account credentials, it is easy to see how apathy, short attention spans, and bad cyber habits are the true adversary of a secure network.

If you’re an IT administrator, you likely need to shift some of your focus (and resources) away from protecting your endpoints and infrastructure with technology and invest in ways to change employee behavior, mindset, and security habits.

Communication is a huge factor in accomplishing this goal, and it needs to begin as early as your onboarding process. IT leaders should proactively partner with HR and/or Training to help instill good security habits before any employee ever logs into a network. Employees want to do the right things when given proper training and motivation.

Many organizations are gamifying their security training and rewarding those who demonstrate a security-centric attitude. This creates the opportunity to encourage and support those with poor scores and reward individuals or teams with good security habits. With regular updates, you can demonstrate progress toward implementing both individual and corporate security goals. When employees recognize that you are making security a priority, it is easier for them to do so.

2. Recognize the changing face of remote users and treat each one accordingly

While there is a significant increase in the number of employees working remotely, there is also a dramatic change in the skills and attitude of remote workers. In addition to the traditional power users (executives, road-warriors, IT, etc.) our research indicates that there are three other common remote user types that IT teams must identify, accommodate, and motivate to implement a true security-first culture.

The Desensitized User This largest group of remote users is dangerous not because they are incompetent but because they have grown too comfortable online. When faced with security challenges like remembering multiple credentials, they take the easy way out and use insecure passwords or simply reuse old ones.

To reach the Desensitized User, it is critical that you show them you are focused on solving their frustration and making their lives simpler. Don’t just give your bad-credential users a password manager and a user manual. Spend time in training to demonstrate how it streamlines their processes, stress the benefits of efficiency, and reinforce the messaging by reminding them that they play an essential role in cybersecurity for the whole company.

The Above it All User These are the power users that IT has traditionally focused on.

While they may be cyber-rockstars, you still need to introduce user-friendly security tools. A good way to counter potential objections is to remind The Above it All User that taking a security-first position is the only way to truly maintain the fluid boundaries of work and home life that they have become accustomed to.

The Out of Touch User These users are the opposite of your power users. They have relatively low tech-IQ and, if not for the pandemic, would not likely work remotely. They regularly leave their devices unlocked and are the type to have their passwords on a sticky note.

To motivate change among Out of Touch Users, you need to instill a sense of responsibility. There are countless real-world examples you can point to of how massive organizations have been brought down simply because one person was careless or “out of touch.”

But you can’t just scare them into compliance; you also need to recognize their limitations. So choose security tools with short learning curves, and provide ample and frequent training and support to remind them what they should be doing without calling out their lack of tech acumen.

The On Top of It User Your On Top of It Users rely on technology to help them accomplish their goals. Unfortunately, this need-it-now attitude often means they choose efficiency over security.

In-depth training isn’t as critical for the On Top of It User. They need to see that you understand their Type-A needs and that you have sought out tools that have seamless UX and won’t slow them down when using the platforms they depend on to succeed. IT staff, policy, and tools need to be seen as shortcuts rather than roadblocks.

3. Understand that a hybrid workspace requires more flexibility than a traditional work environment

As many as 42% of the U.S. labor force was working from home full-time during the pandemic. And that number isn’t changing anytime soon. Perhaps the scariest aspect of this phenomenon from a security perspective is the co-mingling of company-managed and personal devices.

Many companies were just coming to grips with implementing BYOD policies that allowed employees to bring their personal technology into the office. Now they are being thrust into an even more uncomfortable position of accommodating remote workers with unsecured home devices and networks. While a rigid stance made sense for BYOD, the new hybrid workspace will require a softer, more collaborative approach.

This means that IT needs to take the position that every device, browser, operating system, or network will become part of your corporate security profile. Therefore, you need security products that work consistently across all devices. The hybrid workspace requires more emphasis and investment into Identity and Access Management (IAM) tools, password training and management tools, and security first protocols to help simplify the security process for employees without intervening in their personal lives.

Employees need to see IT in the role of a facilitator rather than a gatekeeper by providing tools and support that make it easier for employees to do their job remotely.

4. Provide people with tools that make their lives easier, and they will utilize them

In even the best-built corporate cultures, there is a tendency to backslide into a comfort zone. We know that, left to their own devices (no pun intended), remote employees are prone to taking shortcuts that are not representative of a security-first culture.

Developing a security-first culture means achieving a better blend between technology and humanity, which ultimately requires tools that align employees’ beliefs about security with their online behaviors.

There are a few specific factors that IT teams must take into consideration when evaluating any security tool and IT leaders can apply those same concepts before implementing any new security product.

It must have a simple user interface. Security for all employees means being able to accommodate the lowest-common-denominator in technology experience and skill set. Tools with a simple and elegant user interface will be seen as easy by low-tech workers and streamlined for your power users.

It must easily integrate with a variety of personal technology products. Your employees likely didn’t consult corporate before making their at-home technology purchase. Security technology that works seamlessly with their home devices and networks will have a significantly better chance of broad-based adoption than those that do not.

It must provide a user experience that improves employee workflow. Adapting to remote work is challenging; security tools must help streamline employee’s workflow and make users’ lives easier during these difficult times. Endpoint security software automatically patches and installs updates on employees’ personal and business devices while a password manager eliminates the need to remember multiple credentials. These tools require less effort and deliver better performance.

Empowering people to be part of the solution

To instill a company-wide security-first culture, organizations must think of security as a human challenge, recognize the changing face of their remote user base, learn from the critical lessons taught by our collective COVID-19 experience, and strike a balance between securing their business interest and improving their employee’s workflow.

Successful organizations will ultimately thrive in the new hybrid environment because they will pivot how they think about cybersecurity. By seeking both advanced technology and human-centered solutions to security challenges, they will provide a simple and seamless user experience and empower employees to do their jobs wherever they are most productive and have peace of mind that their information and online identity is secure.

JD Sherman

JD Sherman is CEO of Dashlane. He served as President and Chief Operating Officer of HubSpot from 2012 to 2020.