In your organization’s journey to be cyber resilient and build up its defenses, your path will have bumps in the road. Your cybersecurity strategy has to change and adapt to navigate this. As you evolve, you’ll still face cybersecurity strategy pitfalls, but you have a lot of control over this path.
Your team could be the cause of these derailments. They are, after all, the experts, and your leadership should encourage their own evolution. First, you need to address areas where you are off the path. Let’s look at the most common pitfalls and how to avoid or resolve them.
Misconceptions About the Human Element Create Pitfalls
An underlying theme in the pitfalls we’ll discuss is how cybersecurity professionals miss or don’t give much credit to the human element. Being technical people, they depend on this to solve all cyber problems. Yet, we all know that most cyber incidents occur because of human error or failures. In 2021, 82% of breaches involved the human element.
Your technical folks may have already decided humans are the weak link, and there’s no way to save them from their own stupidity. It’s a harsh sentiment but one you’ve likely heard. For you to have the most robust and flexible cybersecurity strategy, your people need an attitude shift. Without it, they’ll fail to engage their users, and the cycle of apathy continues. Is that the kind of cyber team you want to lead? If not, then pay attention to these pitfalls and how to move forward.
6 Pitfalls of Cybersecurity Strategies
These pitfalls will sound familiar. What’s new is how you can better respond to and address them. You’ll find that at the heart of these is the need for your staff to sharpen their people skills, something that’s been historically difficult but not impossible!
Let’s look at each pitfall and what actions you can take to deal with them.
1. Your cyber professionals assume and believe users are clueless and a liability.
Those working in tech often portray the layperson as completely clueless. There are a million memes that demonstrate this perspective. An average user may make mistakes, but most aren’t as incompetent as the stereotype.
Additionally, this sentiment, even if not expressed out loud, creates friction and an “us vs. them” mentality. It’s further complicated by cyber professionals who think they’re the smartest person in the room. These types believe users are idiots, and if they intimidate or belittle them enough, they’ll be so fearful they won’t make any more mistakes. Yet, that’s now how it actually plays out in most cases.
With this troubling relationship comes distrust, and risk could increase if employees question their authority. You also have to figure out the impact of security fatigue in this dynamic. Most people are overwhelmed with all the rules, guidelines, protocols, and training.
So, how do you change this mindset? Ideally, your cyber team should be ambassadors for security and build relationships with users. By working on the relationship, people will be open and engaged. They’ll understand their part in cybersecurity.
The catch is that you have to change some behaviors and thought patterns of your technical folks. The best way to do this is with the Secure Methodology™, which is a seven-step guide to transforming cyber professionals into communicative and collaborative people.
In the seven steps, there are exercises and practices to undertake to help people with awareness, mindset, acknowledgment, communication, monotasking, empathy, and kaizen. When technical folks go through this evolution, it opens up a new perspective of working with employees rather than having disdain for them.
2. Your techs only speak geek.
If your team is going to earn the respect of others and improve the culture to be a security-minded workforce, they need a new language. Only talking about technical areas with jargon is a familiar move by cyber professionals. A lot of times, this is more bluster than anything else. Improving communication skills requires much more than being articulate.
How your people talk about cybersecurity risk matters on many levels. First, they need to learn how to convey threats and strategies to the C-suite, and you can be an example here. Strip away all the unnecessary geek speak to get to the crux of the matter.
Second, they have to reframe how they communicate with all users. The official requests to complete training or follow best practices come from your team. There are several exercises within the Secure Methodology that focus specifically on this and will help craft messaging that is easy to understand and follow.
It’s also a good idea to consider different formats for this communication because people learn differently. Consider more than sending out emails with links to training. A friendlier approach would be to host a lunch and learn for users to hear directly from your team on why cybersecurity matters.
3. Your cybersecurity strategy is too complex, leading to bad decisions.
Most people want to follow the rules about cybersecurity. They don’t want to err and cause an incident. With the daily headlines of cyberattacks, they are aware of the risk. However, an unnecessarily complicated cybersecurity strategy can trip them up.
When the security burden is only on their shoulders, they may fall into making bad decisions. Workers often have distractions and more demands than they can complete in a day. If they second-guess every decision regarding security practices, they may unwittingly become an insider threat.
So, how can you ease some of this for them? Take an honest and candid look at your strategy and policies. Do this with your team, and challenge them to identify complexity and simplify it if possible. Make sure they are looking at this with a growth mindset and awareness. To do this, they’ll need to use some of those soft skills much more so than technical ones.
In this review, you may also determine there are more things you can do, such as improving the security filtering for email to prevent phishing attacks. Password guidelines often fall into this category, as well. Implementing password vaults is an option to ensure people don’t use the same one for everything.
4. Your cybersecurity policies are too rigid.
Can cybersecurity rules be too restrictive? Yes, if it impedes someone’s ability to do their job. In this pitfall, to avoid this, your technical folks will need to use what they learned in the Awareness and Empathy steps of the Secure Methodology. They literally have to put themselves in the shoes of a user.
If “security” creates barriers and roadblocks, people will tend to move outside the lines for convenience and productivity. That’s not a safe path to take, so you need policies that don’t further complicate employees’ workflows.
It’s not about relaxing protocols or becoming indifferent to cybersecurity. Rather, the approach is to assess policies and see how they impact users. If you and your team do this before you roll them out, you’ll be able to plan and communicate changes better.
5. Your cybersecurity team only communicates around the negative.
Should your cyber team instill fear in your users? Is fear a good motivator? Sometimes, but in this case, probably not. If the only communication your team puts out to the employee base is negative, it’s not likely to impact their behaviors. Shaming people for making mistakes is typically ineffective. This breeds resentment toward your team.
Instead, your cyber team should focus on positive reinforcement. This stance could improve the attitudes of staff toward security and your team. When there’s an environment of positivity, cybersecurity can be a truly collaborative approach.
6. Your department never solicits user feedback.
Finally, asking for and receiving feedback from users is very valuable, but few organizations solicit it. There are many ways to obtain this. One option is to send a questionnaire after the resolution of an issue. You can also do an annual survey in general about cybersecurity and the communication and direction provided by your group.
Getting these responses can help you shape future cybersecurity strategies and enlighten your staff. Some of your people may discount it, and that is their loss. If you want to elevate your people to expand their thinking from ones and zeros, they need feedback.
The Acknowledgment step of the Secure Methodology aligns with this. You need to do some acknowledging as the leader when things go right. If things go wrong, you need to recognize this too, but not in a harsh way. Collective feedback from those you serve will be a mix, but there is so much to learn from this information.
Cybersecurity Strategy Pitfalls: Stay on the Clear Path with the Secure Methodology
These pitfalls are things every cyber leader faces. However, they are avoidable or fixable with a better approach. The Secure Methodology is a framework to get back on the right path. You can learn more about it and why it’s critical for modern cybersecurity success by checking out the Secure Methodology course.