Rawpixel - Fotolia

Get started Bring yourself up to speed with our introductory content.

How can security leaders create a positive work environment?

It's the responsibility of security leaders to create a positive work environment for security teams, which can be tough to do in such a demanding field. Here's how.

Information security can sometimes feel like a never-ending problem. Some experts suggest security leaders should let their teams know regularly all of the tasks they did accomplish to shift the focus away from the negativity. What else can I do to facilitate a more positive work environment so that security stays a passion instead of a burden for my employees?

Cybersecurity is predominantly defensive in nature. Enterprises are subject to a constant barrage of attacks from unauthorized sources. Since information security professionals are challenged each day with new attacks, it is no wonder that precautionary measures, monitoring and remediation efforts can seem trivial.

To some, keeping up with cybersecurity efforts is a burdensome task. To others, the complex nature of information security is what makes this profession exciting.  The level of passion of the staff is a reflection of the security leaders. There are three areas that can be used to motivate the information security staff and create a positive working environment:  lead by example, train your staff and recognition.

Lead by example and inspire your staff with your passion. Let them see your interest and motivation for information security. Teach your staff that being an agent of change brings greater satisfaction to this job regardless of whether the rest of the company is aware of your contribution. It's admirable when staff stand firm on professional ethics despite the non-popularity of its stance with executive management. This can be just as powerful as his ability to come to a mutual agreement on compensating controls. Do not attempt this if you do not believe it. Your staff will know the difference.

Improve your staff's knowledge by providing them with cybersecurity training. Sources for training include, but are not limited to, cybersecurity programs offered by ISACA, ISSA or OWASP; on-the-job training by assigning special projects to develop or update security policies, security awareness programs, incident monitoring and reporting, vulnerability remediation efforts, controls testing, compliance testing and proof of concepts for security tools, whether you purchase them or not; and certification training for CISSP, CISM, CEH and CISA.

There are the SANS certification courses, which are outstanding but may not be within your budget. Classroom training for these courses might require lodging and travel expenses that need to be factored in.

We all want to be recognized for our contributions. It builds pride and unity in team member relations. Develop a specialty for each of the members where they can become a subject matter expert.

Recognize them publicly through newsletters, personally name them in management meetings when appropriate, allow them to participate in projects, and give credit to those that had a direct hand in special project achievements. Many times the chief information security officer (CISO) will get all the glory but will also get all the blame. Staff members need to believe the CISO is there to build, protect and champion their efforts. The dynamics in this approach will recognize staff willing to exceed expectations.

Information security is an admirable profession. It has come a long way from the isolated mainframe dealing with IBM-RACF, CA-ACF2 and CA-TopSecret. Remote connectivity was strictly through auto callback devices or having to drive in to a data center to fix a security related production abend. Today, everything is connected. Technology has introduced many challenges to the security professional that can be quite overwhelming. Be an example, develop your staff and recognize them for their contributions. Use these as a positive reinforcement for growth and motivation.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out why it's important for security professionals to have business skills and how to promote interdepartmental cooperation as a CISO

This was last published in September 2015

Dig Deeper on Information security program management