Tips for learning to see the world through a security lens, and training your employees to do the same
Thriving in a secure environment requires a different outlook than you would typically have in your day-to-day life. To keep your company and country secure, you have to be on the lookout for threats, trying to see through the eyes of those who would want to steal information and exploit vulnerabilities. This mindset may not come naturally, but it can be ingrained in you and your employees with the right training, research and experience.
Cultivating Your Security Mindset
For every security professional, being able to spot security issues early on then fixing them before they’re exploited is a crucial skill. This is especially true if you hold a security leadership position like Facility Security Officer (FSO) or Insider Threat Program Senior Official (ITPSO). If you’ve reached that point in your career, odds are you already have a strong intuition for building and maintaining security. Even then, seeking constant improvement is the best way to ensure your company’s or facility’s security for the long haul.
If you’re trying to start building a security mindset, the first step is knowing your enemy. If you don’t know who the threats are to your security, there is no way to know how to stop them. Depending on your work, this could be foreign adversaries, insider threats, other companies or even people in your neighborhood. Once you recognize who your threat is, try to view your facility or business through their lens. Evaluate what they may try to exploit, whether it be an issue with your facility’s physical or data security or even employees who may be a threat to leak information either willingly or unintentionally. When you assess your vulnerabilities in this way, you can address vulnerabilities before adversaries are able to exploit them.
Research will be an on-going part of practicing good security. This means staying up to date with any updates from DCSA, taking advantage of extra trainings and webinars beyond what’s required, and taking the time to search for answers when you run into a wall or something you don’t know. This could mean a simple Google search, seeking help from others at your company or reaching out to your DCSA representative if the question necessitates it.
You can also reach outside your organization for help through networking with other security professionals. If you make contacts through LinkedIn, conferences or professional membership organizations, those can be invaluable resources. It’s likely professionals at other organizations have run into scenarios similar to the ones you’re needing help with, or that they have resources that can help you. When we create a network of security leaders seeking to help each other, we strengthen national security significantly.
Good security comes from the top down. If you want to keep your facility secure, that culture begins with the tone you set for others.
Training Your Employees in Creating an Effective Security Mindset
An organization cannot rely solely on one person to maintain the security for everyone; you need to create an ecosystem where everyone is on the lookout for issues and ready to help you stop them. This begins with training, but making sure that employees actually pay attention and take in key information from trainings and briefings can be challenging. There are steps you can take to ensure a more engaging and therefore more memorable presentation.
If your briefing is going to be more than 20 minutes, information can get lost and people can begin to tune out, so you need to engage your employees in this time. This can be as simple as asking questions as you go to keep them involved. You could also add review games of the information, especially if you can incentivize them with prizes. Choose some key information that you really want employees to walk away with and “create a moment” around it. If you’re training them on reporting foreign travel and want to drive home suspicious behavior they should be watching for, play a clip from the movie Taken and dissect what signs were on display. Use references to pop culture or add humor where you can, and it will be immediately more memorable.
Whatever your approach, you need to create a “why” for your employees. Why should they care about security? Case studies and real-world examples can be a great tool for doing this. Rather than introducing ideas with no context, show them how security threats can play out in real life and what the effects are. Find examples that the people you’re talking to will relate to. For example, if you’re training millennial cyber security professionals, a story about WWII may feel disconnected from and not applicable to the work they do.
Click here to download
Beyond the official training, people will most likely make a mistake at some point. They may forget to report an international trip or accidentally bring in the wrong kind of headphones into a secure space. In instances where it’s truly unintended and not malicious, this is a great time to create a learning moment. Sit the person down and walk them through why that security rule is important to follow. These mistakes can actually make them practice better security in the future, as long as they put in the effort to avoid making the same mistake twice. You can also use this as an opportunity to issue a company-wide reminder. Send out an email reiterating the importance of the rule. Just make sure it isn’t done in a way to shame the person who made the mistake, or you’ll risk people being too scared to self-report in the future.
Unfortunately, even with excellent and on-going training, there are people who will still not develop the security mindset they need to thrive in the high-security world. If someone is continually making mistakes or not following security protocols, you have to recognize them as a liability. Not everyone is going to be able to work in organizations where information needs to be protected, so it’s part of your responsibility to learn to recognize people making genuine errors but fixing them versus those who should no longer hold a clearance.
Ultimately, leadership plays a huge role in creating a strong security culture. Adamo can help you as an FSO build this culture by helping you with briefings and freeing you up from the tedious day-to-day work so you can focus on what’s most important for your organization.
