How to Create a Culture of Trust While Preserving Security

​Since 1914, the FTC has been holding companies accountable for “deceptive” and/or “unfair” practices, per Section 5 of the Federal Trade Commission Act. And while the legislators who designed the act certainly didn’t have cybersecurity in mind over 100 years ago, the FTC has since sued above 60 companies for “put[ting] consumers’ personal data at unreasonable risk.”

​This means that your organization will want to demonstrate that they’ve made a good-faith effort to protect consumer data against breaches. Failure to do so could result in serious consequences – for the consumers you’re trying to serve and for the business itself.

​In addition to this sweeping legislation, there have been several other laws that lay out expectations regarding security of protected health information (PHI) and personally identifiable information (PII), including the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and the Federal Information Security Management Act of 2002 – not to mention any state laws that regulate security and privacy.

HR to the Rescue Download White Paper

​So – how do we optimize this delicate balance between productivity and security? As I know from my work as CISO (Chief Information Security Officer) and vice president of IT and web operations, there’s no one easy answer – but a key component is striving to create a culture of trust within our company while maintaining sufficient safety practices.

Lead transparently and consistently

​Company trust begins with leadership. Establishing consistent and open channels of communication is the first major step in creating a positive, trustworthy company culture. People must know what the CISO is striving to accomplish. Carefully communicate with employees when implementing tools and controls and the purposes behind them. Openness helps avoid an atmosphere of “big brother is watching.”

​It’s important also to adequately communicate how an individual’s role in ensuring data security plays into the day to day activities of the business. When you cast a vision that creates a shared understanding of all employees’ roles in security, it extends the responsibility to all staff. When an employee walks through the doors every morning, they should understand that security is their priority, too.

Incorporate information security practices early

​How can we make people feel like they can still do their jobs without security procedures getting in the way? Have a constant feedback loop. The cybersecurity team needs to be talking to employees in an ongoing conversation. Frequent check-ins and updates can help circumvent problems before they arise and ensure that systems are working smoothly for all involved.

Build in security into every aspect of the business

​As important as these frequent check-ins are, security is best when it’s built into systems from the beginning. That’s why there’s been a recent push among security experts for “dev-sec-ops” approach — development, security and operations. Everything – from the code you write for your applications to the way you process and share data with vendors – is designed with security in mind and tested as its developed.

​Another important principal to keep in mind is that security increases when complexity decreases. For instance, NIST SP 800-63B (Authentication and Lifecycle Management) provides recommendations that establishes an innovative approach in the management of passwords (memorized secrets). It revisits the idea of using composition rules, lifecycle, and length requirements to make passwords more secure. NIST explains that this approach makes passwords difficult to remember and frustrates users. It’s a fair point: Everyone’s experienced the inconvenience of constant password updates, and we’ve all struggled to remember passwords that fulfill increasingly complicated requirements.

​In light of this, NIST posits in SP 800-63B that by implementing real-time feedback mechanisms when choosing new passwords, using black-list look ups, it can aid the user in choosing secure passwords that are easier to remember. By having your security experts focus on decreasing complexity, you can reduce user frustration and maximize security.

​Similarly, when an internal breach occurs, it may well be because security wasn’t baked into the system from the get-go. For example, let’s say your company decides to release a new healthcare related product, which requires sharing customers’ personal data with a third-party cloud service provider. It sounds innocuous enough – but unless a business associate agreement (BAA) is in place between all parties involved, and the proper security controls have been implemented, a breach of private health information (PHI) data may have occurred. Involving security in these kinds of data transfers and establishing clear security expectations both internally and externally will help prevent such situations from arising.

​Generally, no one wants to get things wrong. People want to help protect sensitive data.

What should employees do?

​When in doubt about a security issue, employees need to be trained to 1) stop, 2) think, and 3) ask if they’re unsure of the security risks in a particular situation.

​By implementing thoughtful, smart practices, you can maintain an open dialogue that will encourage constructive engagement from employees.