May 27, 2019 By Lysa Myers 4 min read


As cybersecurity practitioners, we all have a mental list of fundamental technological controls that everyone should be using to secure their environments. But when it comes to the humans in our environment, few of us can point to specific effective methods to improve company culture in a way that keeps them from accidentally — or intentionally — thwarting our efforts.

Understanding the psychology of why people occasionally slip up is the first step to preventing risky errors.

Stress Makes Workers Less Productive

We’ve probably all had the experience of trying to navigate the world when we’ve had too little sleep, or when we have something weighing on our minds. It’s not a fun way to move through the world, and we can consider ourselves lucky if our missteps are harmless ones. More often, it’s those complex tasks that are challenging for us on a good day that we’re most likely to mess up.

Most people are not — and should not need to be — cybersecurity experts. Their first priority will naturally be whatever tasks fall within their specific job description. Good data hygiene practices often fall further down their list of priorities than we might like. Your employees need to have the mental bandwidth to be vigilant and to do their job effectively, and stress decreases that ability.

Are Your Policies Causing Stress?

One source of stress many organizations are imposing on their workers is having adversarial security policies. Treating workers as a threat to be curtailed, imposing controls that make their job harder to do, and threatening punishment for accidental lapses does create a “culture” of security. But it isn’t a positive one.

Security efforts succeed or fail based on the ability to identify problems as quickly as possible. It would be detrimental to shut off one of your best avenues for rapid response by making employees feel afraid to communicate. This effectively makes the job of security practitioners more difficult, increasing their own workload and stress level.

It should be no surprise that many cybersecurity personnel are overworked. This situation seems to be increasingly widespread, given the problems that many companies are having filling existing positions. Burnout and other stress-related mental health conditions are such a prevalent issue in this industry. Major conferences like Black Hat are even adding dedicated mental health tracks, according to Axios, and local events are adding Mental Health Hackers Villages.

Adding the stress of an adversarial environment is a surefire way to increase burnout and attrition. Creating policies that enable productivity and innovation makes everyone’s jobs easier.

What Does Positive Company Culture Look Like?

Negativity and stress decrease performance, while positive environments conversely improve it, according to Harvard Business Review. Since employees are ideally positioned to be the eyes and ears of the organization, they can be the best anomaly detectors and asset locators available if you can leverage this by improving communication.

To create a positive culture of security you need a company full of loyal advocates. Ideally, staff should be both loyal to your company and to your customers. These days, most companies would quickly cease to exist without the goodwill, and often the data, of their customers. Your employees need to have the bandwidth to protect both of these things at their full capacity.

Loyalty and protection go both ways, so business leaders must create a company culture of valuing employees and establishing psychological safety. Creating a cooperative security posture will help decrease incidents.

Build From the Tech Up

There are a few things your company can do today to enable employees to work safely and improve your security posture. Let’s start with the technological solutions, which basically boil down to creating an environment that mitigates the damage from mistakes or poor choices:

  • Use robust, overlapping layers. Some common examples of this are multifactor authentication (MFA), sandboxing or virtual machines, blacklisting and whitelisting files or traffic, filtering unwanted or malicious files at the server and desktop levels, and encryption at rest and in transit.
  • Enable reasonable use. If malware researchers can safely examine potentially dangerous files, so can human resources and finance departments. You can provide staff with advanced file-handling training, plus air-gapped or virtual machines that are dedicated to the task and can be quickly reimaged after each use.
  • Implement seamless controls. When purchasing new products or services, prioritize choices that minimize extra steps when they must be used by your staff.
  • Do not allow more access than is needed. Follow the principle of least privilege, which says that no user, machine or system should have more access than is needed do to their job.

Whatever security technologies you implement, make sure that they are working to empower your employees and improve cross-department communications. Some things to get started include:

  • Listen to your employees. Are there devices, communication methods or data sources that people are using that you don’t know about? Are there particular vulnerabilities or pain points that they’ve spotted that should be fixed? These are just a couple questions you should be asking, which might uncover holes you’re not yet aware of.
  • Find out how they work. Shadow employees to find out how security controls function within their daily work. Are there simple tweaks you can make that make their jobs easier?
  • Create an easy way for staff to report suspicious files or accidents. Your employees likely see a whole lot more spam, phishing and malware than you realize. They may quickly delete them, or they may mistakenly click on things they shouldn’t. Neither of these situations is ideal. You can use those messages that pass filters to train your defenses, and you can quickly investigate accidents, but only if you know about them.
  • Create an easy way to request access level changes. People change jobs and responsibilities often within the course of their tenure. There should be an easy way to request changes to their access if need be.

Security should not be the “Department of No,” but an enabler of innovation. This may seem contrary to common wisdom, but it is far from an impossible task. Considering the mental health and well-being of our employees can pay great dividends.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today