There are obvious overlaps between these dimensions of employee engagement and security awareness best practices. Most important are the need for security programs, through their STAC efforts, to foster a sense of identification, commitment, and loyalty in regards to security. Employees should feel a sense of ownership and personal satisfaction around having good information security, not just see security as policies they must obey. Security programs must also foster more employee satisfaction and better performance. If employees don't feel like the security team cares about them, or gives them the tools they need to perform their jobs securely and effectively, then how are they supposed to feel the sense of ownership for security that is necessary for a strong security culture?
Towers Watson, a consulting firm, conducted a global workforce study, which identified five top drivers of sustainable employee engagement:
- Leadership that is effective, consistent, and earns employee trust and confidence
- Goals and objectives that are well understood, widely communicated, and appropriately supported to ensure success
- A work/life balance that is suitable for managing stress and supporting employee well-being
- A positive organizational image and a public reputation for honesty and integrity
- Management communication that is respectful, clear, and encouraging
Unsurprisingly, I tend to see these drivers in more innovative STAC programs today. In these organizations, awareness has top-down support and adequate resources. Clear goals are set, knowledge and skills are communicated effectively, and security training helps employees with their home and family lives, not just work. The result is usually a workforce that is much more engaged in the practice of good security.
Finally, an in-depth UK Government study reported four enablers of employee engagement:
- Strategic narrative - strong executives with a compelling, empowering story about the organization and its future
- Engaging managers - managers that act like coaches, focusing on their people as individuals, giving them direction and objectives, and encouraging them to stretch themselves
- Employee voice - employees who are respected as the solution, not the problem, and invited to give thoughts and opinions which are listened to and acted upon
- Integrity - an organization where values are reflected in how people actually behave, with no gap between what people say and what they do
The UK study offers some particularly good insights for security engagement. When I see STAC programs fail, they have usually violated several of these principles. Some are "check the box" programs driven by compliance requirements, with no strategic story. Others use generic content and techniques to deliver homogenous training to every employee, with little individual focus or creativity. Some programs can be quite condescending towards the people they are supposed to be engaging, insensitive to the challenges everyday users face, or the tradeoffs people must make between security and other priorities. And in some security programs, unfortunately, security awareness requirements change for different people, often based on their position in the org chart. Double standards rarely foster commitment and engagement.
Sign up for CIO Asia eNewsletters.