Without trust, your security team is dead in the water
The rise of cyberattacks and data breaches has increased the need for sound security that works across any type of business. But with any change in an organisation, buy-in is essential.
Airwallex's head of IT and information security Elliot Colquhoun says from a security perspective, organisations tend to over index on reviewing security controls, such as those implemented by a vendor or implemented within their own environments.
"This is a useful lens for business as usual, however, security professionals should expand their evaluation to also include the human and often undervalued aspects of trust," he says.
"Do your employees trust your security team? Do your customers have a positive perception of your security that has earned their trust?"
Colquhoun says having the trust of employees and customers is a force multiplier for security. At Airwallex, the staff are generally passionate about privacy and understand the impact of security changes, and so positive engagement is critical.
"We have seen first-hand that the high level of trust from our employees results in easier and more effective implementation of security changes and controls. The impact of this extends to our customers – their increased trust in our controls drives loyalty and wider adoption of our products," he says.
Later on, this positive branding also becomes a differentiator and a revenue multiplier. Companies get greater customer access because they have the perception and brand to convince their internal security teams.
How can security leaders build trust with employees and customers?
Trust is built on communication and transparency. Colquhoun advises that companies should share what is on their roadmap and openly discuss recent incidents or investigations. Focus on the impact of changes they're making and explain why they are required.
"Recently, we implemented a VPN which performed TLS interception. Naturally, some employees had concerns about the privacy implications, particularly for personal internet browsing," says Colquhoun.
To navigate these concerns, Airwallex took several steps to ensure its staff backed the objective, including:
1. Distributing a fact sheet that helped explain the privacy considerations in as simple language as possible
2. Writing an internal blog post explaining why it was implementing these changes
3. Hosting town hall meetings in each region, allowing employees to voice any concerns and the security team to answer any questions.
"Being transparent made our employees feel heard, and this increased the overall uptake and integration of the VPN. Some of our most cynical users turned into supporters who helped build our VPN into firewall rules for tools within their departments," says Colquhoun.
"Transparency is equally important for your customers as it allows you to demonstrate the maturity and strength of your security program. It-#39;s important to define the perception before customers define it for you."
"For example, we list our security certifications and details about our security program on the Airwallex Trust Centre, an NDA-protected portal on our website. We also publish blogs –such as our engineering team's Medium page– and open source parts of our security infrastructure, in an effort to be transparent about our security program and share learnings with others in the industry."
Building security into a business identity transforms how its customers view its implementation – from simply alleviating a user experience pain point to adding real value to the customer's experience.
Traditional security engagement programs have turned into a box-ticking exercise
Increasingly rigorous regulator and partner requirements for security awareness and vendor reviews have driven a need for a very specific engagement model. For employees, this is typically annual security awareness training. For customers, this is likely SOC2/ISO27001 or similar audited reports. Unfortunately, while these strict requirements are the minimum acceptable controls for a regulator or partner, they often fail to drive meaningful engagement.
Colquhoun says if we're honest with ourselves, these box-ticking exercises alone do not represent the ever-evolving security program required to safeguard against modern threats. They also lack the opportunity to showcase the meaningful and differentiated controls implemented by security programs.
This is where a dual approach can be most effective.
"At Airwallex, we strengthen compliance-driven security awareness to meet regulations, with 'behind the curtain' awareness events to build trust and transparency," he says.
"Each quarter, we run an in-person session open to all staff; diving into some recent security investigations, giving our staff a better understanding of what the security team works on, and the kind of threats we are protecting our company from. This transparency leads to increased trust."
Colquhoun says frequent communication and transparency are critical when implementing a security program that prioritises building trust. Therefore, when designing a program, businesses should consider the following:
- Do employees know what's on the security team's roadmap for the year?
- Do employees know why different security controls are being deployed and the risks and threats they aim to reduce?
- What is your customer's perception of your security?
- How closely does that customer perception match the state of your security program?
- Are you proactive or reactive with your communications?
Additionally, a senior management team with a deep understanding of how security impacts the business and its operations, is critical in determining the success of a security program. Engagement metrics – such as employee surveys measuring trust in your security team or increases in reported security events – are useful for obtaining trust from senior management.
"All of these methods require time. While a relatively easy and impactful addition to budgets and roadmaps, trust isn't built overnight, but once earned, the return on investment is priceless," concludes Colquhoun.