Employee engagement is a hot management topic these days. One reason it's top of mind is that recent studies show many employees are simply not very engaged at work.
Gallup, the research and polling company, tracks employee engagement globally. In January, Gallup reported that in 2015 only 32 percent of U.S. employees, and 13% of employees worldwide, were engaged in their jobs, meaning they were "enthusiastic about and committed to their work and workplace." The fact that two thirds of employees lack commitment and passion on the job has serious implications for business strategy and execution.
Now consider, given this lack of employee engagement, how hard security training, awareness, and culture (STAC) professionals have it. STAC teams are constantly challenged to improve the priorities, behaviors, and decisions people make regarding information security. That's a tough job. Even when STAC programs are well-funded and enjoy executive support (many have little of either), getting people to care about security, to be engaged in protecting corporate IT assets, is a tall order. If most employees don't care that much about their own jobs, it shouldn't be a shock that they have a hard time caring about the security team's job as well.
This lack of security engagement may even drive insider threat narratives that are so popular today within the industry. In my experience, security professionals are more engaged in their jobs, more passionate about what they do. So I can see how apathy in non-security employees might be interpreted as negligence or even maliciousness. But that's a dangerous mistake to make. "You can't patch stupid" may strike security professionals as funny, or even accurate, but the attitude is self-defeating in the end, and a poor strategy for winning hearts and minds.
If most employees don't care that much about their own jobs, it shouldn't be a shock that they have a hard time caring about the security team's job as well.
Lessons from employee engagement research
Research into employee engagement has a lot to offer security programs and security awareness teams. By looking at what drives employee engagement in general, we can uncover clues and insights to help us better engage people specifically in cyber security.
A 2015 study in the MIT Sloan Management Review found five dimensions of employee engagement:
- Employee satisfaction - employees react positively to their job circumstances and colleagues
- Employee identification - employees' emotional satisfaction is tied to the company's success or failure
- Employee commitment - employees are willing to do more than the minimum required in their job description
- Employee loyalty - employees' attitude about the organization makes them want to exceed expectations
- Employee performance - employees strive for higher quality in the goods and services the company produces
Sign up for CIO Asia eNewsletters.