How L&D professionals can help businesses mitigate complex security risks through effective training and leadership – with insights from Richard Mackintosh and Sarah Keeling
It is widely acknowledged that the world is more dangerous than at any time since 1945. Recent disruptions to world IT systems, caused by a patching update, are a stark warning of the risks we run because of our interconnectedness and dependencies. Instability in Europe and the rise of China, all underpinned and dependent upon emergent technologies, contribute to a global sense of unease. Risks are changing, and that impacts all of us.
There must be much closer alignment and understanding between risk/security practitioners and L&D professionals
Understanding personal security risks
Security risks (whether cyber, physical or personnel) always have a human dimension. People can drive the risk, be a vector for them, and ultimately have to manage them. While physical and cyber security risks are well understood, that’s not always the case for personnel security risks. Personnel security, sometimes referred to as insider risk, concerns ‘insiders’ – those who betray trust by behaving in potentially harmful ways. That includes staff, contractors, partners and those in the supply chain. Anyone, in fact, who has been granted access to places, people and data.
Personnel security is attracting increased focus as a board priority, being recognised as a risk that must be managed seamlessly alongside cyber and physical security.
Moving beyond traditional security training
With complex and evolving security risks, it is no longer enough to rely on traditional security training. There needs to be more than just watching an induction video or completing mandatory training. Particularly with insider risks, there needs to be understanding and empowerment to act. There must be much closer alignment and understanding between risk/security practitioners and L&D professionals.
The stark reality is that the risks that most worry senior leaders can, and are, affected by people. How we lead, inspire, inform and communicate with our people has never been more important.
Nuanced approach for insider risk
Resilient organisations that understand and manage risk effectively need leaders and teams that are proactive and flexible. For example, insider risk is rather different in how it develops and manifests, requiring a more nuanced approach. The best detectors of insider threats are usually other people, but people need to know what ‘not quite right’ looks and feels like, and what action they can take.
That requires training – and training of a rather different kind. It is not the same as, for example, safety procedure training, where there are processes to be learnt and followed. Training needs to ensure that people understand the risks and are empowered to act.
Training needs to focus on:
- What is insider risk and what are its impacts? Awareness.
- What should I do if something doesn’t feel quite right? Action.
- What role and responsibility do line managers and leaders have to help understand and manage the risk? Accountability.
- How do we learn and share lessons for the benefit of all? Continuous improvement.
This is different from other kinds of traditional security training and requires a firm foundation in behavioural science.
Building trust and leadership
L&D efforts that work well in personnel security take a multi-pronged approach through online learning, town halls and constant management reinforcement. Above all, the behaviour of leaders and managers in setting the tone and living the values is crucial. Too often we hear of cases where speak-up channels have failed because they weren’t trusted. A disconnect between the avowed culture and the reality that people experience can be fatal for the security and reputation of an organisation.
With insider risk, it is often the case that poor line management is a contributory factor. Line managers can quickly make a bad situation worse if they aren’t trained properly.
Modern tech
Building a high-trust environment, which is a key defence for effective security, takes time and effort. There needs to be leadership through actions and consistent reinforcement of the right behaviours. Too few managers get the training they need and deserve to be exemplars of positive security behaviour.
Security people need to understand L&D better – how people learn best and how modern technology can help. Education about the cyber threat has improved in the last few years through techniques such as ethical phishing, constant testing and reinforcement. People will buy into security education, and demonstrate the right security behaviours, if they see a wider benefit – in other words, it benefits them personally.
Collaboration between L&D and security teams
Without the right training, there will be inconsistent delivery and outcomes. L&D needs to be a two-way process in partnership with risk and security stakeholders, with lessons from the centre – for example, following an investigation or incident – to share best practice.
As the adage goes: “An ounce of prevention is worth a pound of cure” and when properly administered, L&D is a clear path to help safeguard your organisation against a growing list of complex risks.
Richard Mackintosh is Senior Adviser at StoneTurn
Sarah Keeling is Partner at StoneTurn