Cybersafe cultures depend on transparency, empathy and diversity

Effective security teams are encouraging transparency, empathy and, diversity, equity and inclusion (DE&I) in building a cyber safe culture.

Digital Nation Australia spoke to Mandy Andress, CISO at enterprise search platform Elastic about how security has shifted from a traditional “black box” function, to one that relies on a variety of perspectives for its success.

According to Andress, being transparent about security threats with the broader organisation, helps the team to understand their role in maintaining a culture of cybersecurity awareness.

“Everyone in the organisation has a role to play in security and helping folks understand what that role is and what they can do day-to-day to help the organisation build and maintain it,” said Andress.

“Being transparent and open helps educate and build awareness as well. It makes it real for everyone across the organisation to understand what is the security threats that the team is facing, that the company is facing and how can they as individuals in their role all help.”

Andress said that a focus on empathy in the cyber security industry has increased in the last five to 10 years, something that was unheard of when she started in the industry more than 20 years ago.

“Empathy was not something that was ever talked about or ever discussed or considered early on in my career,” said Andress.

“By empathy, what I see is folks really returning to what does this mean for the user? How is this impacting the user? What is the experience for the user and moving away from technology and process as the first focus of what a security program or what a security solution should be and starting with that end user in mind.”

Security leaders are also looking to create diverse teams, and break down homogeneous security cultures. Cultures built on sameness limit the teams capacity to create and learn, she said.

“I really strive to build teams where any one person has great experience, but put two, three, four or five different folks together with all different experiences through their life and their career and building on those ideas and creating an outcome and an effect that is far greater than what any one team member could do individually or, or the impact that they could have as an individual.”

Andress brought to light an example from a previous role where diversity in the team improved a cybersecurity outcome. In bringing together a team with a range of backgrounds and capabilities together in a working group team, she said a powerful outcome was achieved.

“We brought a whole bunch of people together, threat analysts, threat intelligence, security analysts, we had some risk folks, we had some just general IT folks, some architects,” said Andress.

“We went from, as we measured ourselves, just not really being very active at all in proactively identifying, to we could see something questionable happening within minutes in the organisation and researching that.”