Rawpixel - Fotolia
Information security can sometimes feel like a never-ending problem. Some experts suggest security leaders should let their teams know regularly all of the tasks they did accomplish to shift the focus away from the negativity. What else can I do to facilitate a more positive work environment so that security stays a passion instead of a burden for my employees?
Cybersecurity is predominantly defensive in nature. Enterprises are subject to a constant barrage of attacks from unauthorized sources. Since information security professionals are challenged each day with new attacks, it is no wonder that precautionary measures, monitoring and remediation efforts can seem trivial.
To some, keeping up with cybersecurity efforts is a burdensome task. To others, the complex nature of information security is what makes this profession exciting. The level of passion of the staff is a reflection of the security leaders. There are three areas that can be used to motivate the information security staff and create a positive working environment: lead by example, train your staff and recognition.
Lead by example and inspire your staff with your passion. Let them see your interest and motivation for information security. Teach your staff that being an agent of change brings greater satisfaction to this job regardless of whether the rest of the company is aware of your contribution. It's admirable when staff stand firm on professional ethics despite the non-popularity of its stance with executive management. This can be just as powerful as his ability to come to a mutual agreement on compensating controls. Do not attempt this if you do not believe it. Your staff will know the difference.
Improve your staff's knowledge by providing them with cybersecurity training. Sources for training include, but are not limited to, cybersecurity programs offered by ISACA, ISSA or OWASP; on-the-job training by assigning special projects to develop or update security policies, security awareness programs, incident monitoring and reporting, vulnerability remediation efforts, controls testing, compliance testing and proof of concepts for security tools, whether you purchase them or not; and certification training for CISSP, CISM, CEH and CISA.
There are the SANS certification courses, which are outstanding but may not be within your budget. Classroom training for these courses might require lodging and travel expenses that need to be factored in.
We all want to be recognized for our contributions. It builds pride and unity in team member relations. Develop a specialty for each of the members where they can become a subject matter expert.
Recognize them publicly through newsletters, personally name them in management meetings when appropriate, allow them to participate in projects, and give credit to those that had a direct hand in special project achievements. Many times the chief information security officer (CISO) will get all the glory but will also get all the blame. Staff members need to believe the CISO is there to build, protect and champion their efforts. The dynamics in this approach will recognize staff willing to exceed expectations.
Information security is an admirable profession. It has come a long way from the isolated mainframe dealing with IBM-RACF, CA-ACF2 and CA-TopSecret. Remote connectivity was strictly through auto callback devices or having to drive in to a data center to fix a security related production abend. Today, everything is connected. Technology has introduced many challenges to the security professional that can be quite overwhelming. Be an example, develop your staff and recognize them for their contributions. Use these as a positive reinforcement for growth and motivation.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Find out why it's important for security professionals to have business skills and how to promote interdepartmental cooperation as a CISO
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading