Psychological Safety and Information Security
It’s no wonder that information security gets a bad press.
Consumers entrust organisations with their personal information sometimes only to find that it has been breached and used by criminals or marketeers for nefarious purposes.
Some of the biggest breaches, such as those of Facebook, Marriott hotels, or OxyData, consist of hundreds of millions of records. If you have a personal email address, it’s likely that it’s been involved in at least one data breach. An entire industry has emerged to help check for and protect your personal information against breaches. For example, services such as Ydentity allow you to check whether your details have been involved in breaches and do something about it.
Data breaches are usually the result of mistakes.
The most common causes of data breaches all revolve around the human element. Hacking, exploiting vulnerabilities, or the breach of access controls are much less frequent than simple mistakes made by employees configuring or using systems that manage personal information.
Psychological safety and information security are rarely heard in the same sentence. Measures to improve information security usually revolve around protocols, “standard operating procedures” and punishments for breaking rules.
To combat the effect of this human element, many organisations implement security awareness programmes and information security training, alongside strict protocols and technological restrictions. Invariably, this results in employees finding ways around security controls in order to do their job, but are punished for doing so. This has a negative effect on psychological safety in an organisation, because people do not feel trusted or empowered to do their jobs.
Psychological safety is the opposite of “blame culture”.
A lack of psychological safety is directly connected to information security. A lack of psychological safety constitutes a “blame culture” – which is often directly encouraged by infosec teams. It’s clear that many data breaches are covered up, and that this occurs at all levels of organisations.
In Dr Amy Edmondson’s 1999 paper on clinical teams, Dr Edmondson found that high performing teams admitted their mistakes, whilst poorly performing teams hid theirs. In a psychologically safe culture, where blame is not apportioned but instead every mistake is treated as a learning opportunity, mistakes ultimately improve performance by providing opportunities to find the systemic causes of failure and implement measures for improvement.
Organisational culture and psychological safety is critical not only to prevent information security breaches but to ensure we deal with failure in such a way that we can learn from it. If we want to learn from mistakes, and indeed, if we want people to raise their mistakes or concerns, we must facilitate a psychologically safe culture in which people feel empowered and safe to raise concerns, questions and mistakes.
All employees must feel able to ask security questions that they may feel embarrassed to ask, and team members must not be shamed for wanting to improve information security practices. Psychological safety is at the core of these behaviours – by allowing communication around security to be open and frequent.
For software development teams, the implementation of effective automated security testing and governance that prevents flaws and vulnerabilities is essential. This guardrail means that software developers can focus on the business problem to be solved and less on worrying that they may inadvertently introduce a vulnerability. More importantly, it means that if a vulnerability does get introduced into production, the focus on examining how it happened should look at the systems themselves, not the engineer.
Alongside measuring psychological safety in their teams, information security leadership must begin to adopt practices such as blameless post-mortems and build cultures that allow for an open and honest analysis of failure without fear of embarrassment or retribution. One very effective way of doing this is by carrying out a “Fear Conversation” where team members can raise their fears and concerns, discuss mitigations, and what their utopia looks like. This exercise generates useful outcomes but even more importantly, builds psychological safety in the team.
Whether you’re a team leader, senior executive, or individual contributor, you can build and foster psychological safety in your team and organisation by employing three core behaviours:
- Treating everything as a learning opportunity: Every incident, every task, should generate learning.
- Admit your own fallibility: if you admit when you don’t know something, or make a mistake, you make it easier for others to do so.
- Model curiosity and ask questions. By asking questions of others, you create the space for people to speak up.
This psychological safety toolkit contains everything you need to build and improve psychological safety in your team and organisation, which will result in improved performance, higher quality, happier people, and improved information security.
For information about psychological safety and high performance organisations, contact me.