It is everyone’s job, not solely cybersecurity professionals, to consider how their work affects security. Of course, some personnel have a bigger impact on organizational security than others. Managers are a keystone to company security. Here 10 things that managers can do to improve security.
1. Read the security policy
Most organizations have a security policy. Every manager who is not familiar with that policy should make an effort to understand it. Want to earn additional respect from your IT team? Ask them to walk you through it. Part of a manager’s job is to provide guidance to employees on how to accomplish work tasks while staying within the confines of security. Additionally, without knowing the company security policy, a manager will not be able to detect or notice violations caused by workers under their purview.
2. Demonstrate compliance of the security policy
“Do as I say, not as I do” does not work in today’s business world. If an employee witnesses a manager or executive not following a company security policy, then that policy is seen as unimportant. Managers must always clearly demonstrate strict adherence to the company policy in addition to providing verbal or written guidance towards compliance.
3. Prioritize security over convenience
Most private sector companies focus on profits. This means that other priorities are often pushed aside and overlooked while seeking higher profits. However, profits will suffer significantly if a security breach occurs on your watch. Managers must strike a balance between maintaining security and optimizing workflow for the maximization of revenue. Additionally, keep in mind that it is human nature to avoid complications and seek the least inconvenient option. You have to actively fight this in your daily personal and work life and provide guidance to your workers to do the same. Prioritize security, excellence, consistency and stability over convenience, speed and profits.
4. Don’t assume all people, both internal and external, are good and have the best intentions
We have to plan for the worst and hope for the best. Reality can strike at any time and a security breach can cause devastating effects even to organizations with reasonable preparations. But we can’t be overly pessimistic or optimistic in light of this fact. Not all workers will do their best or have the company’s best interest in mind. Not all outsiders are good customers who just want to pay a fair price for a fair product. You must build in contingencies for when workers turn on the organization or outsiders attempt to take advantage of your company.
5. Ensure workers who claim to have knowledge and skills can actually accomplish tasks at a reasonable quality level
Workers should be truthful and realistic about their skills and abilities, but a manager should never accept a resume at face value. Once a worker is on the job, managers should assign tasks over time ranging from simple and basic to more complex and essential as that worker demonstrates skill, competence and reliability. Just because someone has years of education or dozens of certifications does not mean they can actually accomplish important tasks. Trust, but verify (or more accurately, supervise).
6. Avoid passing responsibility (and blame) onto workers
As a manager you should take extreme ownership over all tasks, jobs and projects under your control. Even if they are assigned to workers that you oversee, it is still your responsibility to ensure tasks are performed properly and on time. If a worker is unable to complete a task, you need to figure out why and provide a solution. It is better to provide the worker more time, give them more training, provide them constructive criticism, or even move the worker to another position. Do not blame the worker solely for the failure. You need to be fully aware of your employees’ skills and abilities, and assign tasks that are within those parameters. Yes, pushing your workers to achieve beyond their current abilities is fine from time to time, but not necessarily the best course of action for their daily responsibilities.
7. Look to internal resources before seeking consultants or hiring new personnel
Organizations with large pocketbooks might think that leasing expertise from consultants or hiring a new high-skill worker is the best solution to every problem. This is rarely a good strategy. It also tells your current staff that you are not interested in promoting from within, nor using the mental and physical resources that already exist in the organization. This informs workers they are a means to an end and thus are unimportant to the organization as a whole and are not essential to the long-term goals of the organization. This fosters disloyalty and poor workmanship.
In the 2020 IT Skills and Salary Report, 62% of IT pros change employers because of the lack of opportunity for growth and development in their current role. Increase in compensation is a distant second at 41%.
8. Listen to employees
Employees often have knowledge and insight that a manager does not and is unable to otherwise obtain. It is essential to be open to the suggestions, comments and criticisms of employees. Each statement from an employee should be considered on its own merits, regardless of the person from whom it originated. Ignoring employees and forcing them to keep their ideas and suggestions to themselves will only force them to find another outlet. This can result in staff complaining online to the public, sharing their brilliant ideas with your competitors, or quitting their job and starting their own company to compete directly with you. This is known as disruption. Are you ready to face disruption instead of listening to feedback from employees?
9. Keep track of security news, alerts, and incidents both related to the organization and to the world at large
As a manager, it is important that you keep perspective, not just in regards to what is taking place within your organization, but also the events taking place around the world. Managers should spend time each day reviewing IT and security news. They don’t need to read reams of paper, but they do need to have a reasonable grasp on the state of security, new threats, new cyberattacks, stories of recent victims, and to pay extra attention to any alerts or warnings issued by security organizations in general. Being aware of a new exploit or a flaw in a core application can make a difference between experiencing a major intrusion versus knowing how to prevent an attack.
10. Learn from the mistakes or oversights of others
A wise manager learns from the mistakes of others rather than having to always fail themselves in order to learn something important. Failure is an excellent teacher, but you don’t have to always be the one performing the failures. Watch for the mistakes of others within and outside of your organization. Learn from the mistakes of workers, peer-managers, and the leadership above you. Learn from the mistakes of others from similar organizations, especially your competition. Learn from companies that failed to make their mark, those that closed their doors, and those that were compromised by attacks. Find ways to integrate that new information into your organization and the guidance you provide your workers.
If it sounds like a lot, it is, but that’s why IT managers’ salaries are 26% higher than IT staff in North America. We all need to think about how our short- and long-term business or work decisions can affect our employer’s security. It is our responsibility to support security no matter what our job position may be.
11. Bonus tip!
Every IT professional should take CompTIA’s Security+ certification prep course, even if you don’t pursue the certification. We recommend it because the course provides the basic knowledge needed to plan, implement, and maintain information security in a vendor-neutral format. This includes risk management, host and network security, authentication and access control systems, cryptography, and organizational security. I’m ending this article like I started, cybersecurity is everyone’s responsibility, so everyone needs a basic understanding.
Do you have other tips? Let us know on Twitter.
Recommended courses and subscriptions
- GK Polaris – Unlimited training subscription
- Introduction to Cybersecurity
- CompTIA Security+
- Cybersecurity Foundations