What does Leadership have to do with Security?
“The fact of the matter is we are social animals, and we respond to the environments we’re in. Always. Our very survival depends on our ability to cooperate and trust with the people that we live or work with. Right? You can take a good person and put them in a bad environment, and that person will do bad things. You can take a person who maybe the group doesn’t trust, maybe they’ve even performed bad acts; you put them in a good environment, and they’re capable of turning their lives around and becoming remarkable members of society. In other words, it’s not the person, it’s the environment. Leaders are responsible for that environment, and I think sometimes leaders forget that.” ~Simon Sinek
I heard these words from Mr. Sinek when he was being interviewed in 2018. The concept of a good person doing bad things is not foreign to me, as so many Insider Threat cases can demonstrate. What I am starting to question is: how great a role does leadership play in the Insider Threat problem?
As we’ve discussed in a previous post, we here Overt Channel consider Insider Threat to be The #1 Cybersecurity Threat. The Insider Threat is one of the reasons we have the Human component in the Physical-Human-Cyber triad which forms the foundation of our approach to security.
To be sure, companies cannot eliminate the Insider Threat altogether. There will always be “bad guys” out there, right? A strong hiring and onboarding process can filter some of these folks out. What companies can do to mitigate the risk is to avoid creating an Insider Threat.
To rephrase Mr. Sinek’s comments above: leaders can create a bad environment where good people can be led to do bad things. This is, in effect, creating an Insider Threat problem. It’s the organization’s leaders who need to build, foster, and support a good environment. A good company environment is one that supports its teammates by providing the best employee experience possible.
The Employee Experience.
The employee experience is the entirety of what individuals will face and witness during their time with a company. It’s the realm of possible answers a teammate might give when asked by friends and family “how do you like your job?” A positive employee experience includes job training, defined career paths, diversity, inclusion, fair treatment, competitive benefits, and employee wellness programs – but these, collectively, should be the baseline for any good company.
After the baseline, evaluating the employee experience should start with big questions asked at the highest levels in an organization. Leaders should focus on seven key considerations when evaluating the employee experience: engagement, purpose, belonging, optimism, productivity, meaning, and connection.
Taking into account these seven considerations, leaders should attempt to gain honest answers to the following questions:
It starts at the top.
Building a positive employee experience at an organization involves every department, every team, every manger, and every employee. But, like so many things in a corporate environment, it all starts at the top. It starts with the leaders.
What does leadership have to do with security? Leadership is responsible for environment, and a poor environment can foster the greatest threat to the organization – the Insider Threat.
Leadership and security. Insider Threat. Physical, human, and cyber security.