Resilience, human factors and security
Within business, resilience is a concept that describes the ability to continue delivering intended outcomes despite experiencing challenging cyber events, such as a cyber attack, natural disaster or economic hardships. The concept brings together business continuity, information systems security and organizational resilience.
In other words, at the drop of a hat, with little to no downtime, to what extent is your business area able and ready to respond and adapt in the event of incremental changes and sudden disruptions?
Imagine the personal impact on employees when, one morning, they open their laptops or turn to their phones and find that they can’t login to their work applications anymore. They can’t login to email, they can’t get on with regular work tasks, and they no longer have access to whatever alternative communication tools that would normally be used to be informed about what is going on.
The impact on productivity aside, the psychological impact that security incidents can have on employees is considerable. If they don’t have access anymore, how do they then respond? How are they feeling? What kind of emotional impact does this have on individual employees?
While one may argue that some might be relieved, in the vast majority of cases this type of event will trigger anxiety and distress. Improper communication about what to do if such an incident occurs can also seriously damage the sense of trust and belonging employees may have had in the organization.
Putting out the fire, so to speak, and getting the crisis under control as soon as possible is of course a necessary priority, but it is worthwhile considering adding another layer to your incident response plans to help the whole organization be prepared. For example, consider doing regular fire drills and tabletop exercises, not only with the security team and management, but with all other employees too.
When talking about building resilience against security incidents within organizations, we mustn’t limit the conversation to business continuity planning, data back ups and other technical solutions, instead we must also have a human-centric perspective on the topic.
The primary goal of security professionals is to ensure there is still a business to operate tomorrow. And that means recognizing, acknowledging and engaging with other employees in the business. We have to remember that we’re all human, and a psychologically healthy and safe workplace is a necessity for business and security.
Regardless of industry or geography, in today’s economic landscape, knowledge-based jobs dominate. Recognizing the value of employees' brain work is crucial for an organization’s success. This is why organizations need to prioritize creating psychologically safe workspaces, where employees feel safe, respected and integrated, and where they have sufficient time and space for their intellectual contributions.
In his exchange with Yolanda Hamblen, on the Security Circle podcast, Praxis Security Labs' CEO, Kai Roer, asserts that businesses that recognize and value their employees, and acknowledge their contributions, are more likely to thrive and withstand incidents.
To listen to the entire conversation, here is a link to the episode: https://www.buzzsprout.com/2120058/14063193