We often hear about “disgruntled workers” wreaking havoc on computer systems and sensitive information. Interestingly we never hear about what I call “gruntled workers” and how they can — and do — contribute to enterprise security.

Getting the attention of your employees and having them on your side can go a long way towards improving the security of your Web sites and applications. When people who are otherwise disconnected from IT get on board with security, they’ll often go out of their way to ensure they do what’s right. I’ve also seen employees go the extra mile to help people in IT and software development when they find security flaws in the systems they’re working on. Employees don’t want security to get in their way but they’re often willing to step out of their traditional roles and help contribute to Web security to make things better for the business.

On the other hand, if you do things with security that irritate your employees they’ll often do just the opposite by making your life miserable and putting your business at risk. Everyone loses.

Focus on the positive and you’ll reap what you sow. Here are some ways I’ve found to get employees on your side and minimize business risks:

  1. Make sure employees are in the know and completely understand what you’re trying to accomplish with Website security. Properly set expectations and priorities are half the battle.
  2. Establish and build trust. This means leading by example to help influence your organization’s culture and show your users that you’re a person of value who’s not out to get them.
  3. Ensure that employees who come up with ways to help prevent or minimize the effects of security breaches are properly acknowledged and rewarded.
  4. Help management create ways to integrate IT and security user awareness training participation (and results) with employee reviews.

These are things you as an IT or security professional can get started on today. I wouldn’t try to go it alone though. You really need management on board and ideally have a security committee consisting of representatives from HR, legal, operations, internal audit, IT, information security and physical security. A functional and well-run committee can help tremendously with visibility and accountability and improve overall Web security way beyond what you could otherwise do by yourself.

Employees are everything to the business. View them as allies rather than the enemy. Once you get them on your side, you’ll build your credibility and everyone will surely benefit.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.