Why feedback is the missing puzzle piece in your cyber security strategy.

Image of an assist search with no results. There is an Insights pop up at the bottom right hand of the screen asking for feedback

Joe Giddens

Director of Content & Communications

2022/01/18

Feedback is important in all walks of life. It can be what takes you from being good to excellent, as a leader, a colleague, or friend. 

We are often reluctant to give or receive feedback. What’s holding people back from sharing their thoughts? 

We don’t tell the waiter when the steak is not cooked the way we asked, or the wine is not the one we had ordered. Why? Because we fear the replacement might be tainted in retribution for complaining.

In the same vein, how many restaurants ask for honest feedback? According to a Forrester report, only 34% of surveyed organisations collect feedback. Even companies with the processes in place can struggle to receive feedback. Plus, a high response rate doesn’t necessarily mean the responses are useful.

Why might people shy away from giving or asking for honest feedback?

Lack of confidence

We’ve all had a moment where we’ve backed down from saying what we really think. It’s usually for fear of judgement or offending the person. This can be even more prominent when it’s an area people are not familiar with, such as cyber security.

Lack of clarity

People might not know who handles cyber security at their workplace! How can we expect them to know who to reach out to when they see suspicious activity?

Lack of engagement

Feeling like you want to speak up and share your thoughts, good or bad, means you care. If people aren’t engaged, chances are they won’t give feedback. 

How can you tackle barriers to feedback and foster a healthy security culture? Creating a safe space for people to provide their candid and sincere feedback is a great start.

Let’s look at how we perceive feedback and how it impacts us and those around us.  

 

There’s spinach in your teeth

You’re at lunch with a new friend. You order the salad as a part of your New Year’s health kick. You end up with some spinach in your teeth (it happens to the best of us!). 

Would you want your friend to point it out to you? Or would you prefer to continue your day none the wiser?

Most people would want the person to tell them about the spinach and endure a brief moment of embarrassment. It feels much better than the distress of discovering it yourself later on during a business meeting or a date!

In a work context, we all have our blind spots. We struggle to say no to taking on projects, we delegate too much or too little, or we are slow to make decisions. It’s all spinach in our teeth that we are unaware of, but our colleagues see clearly.

Receiving feedback can be difficult, but only if we hear it as criticism. Whether you are the person with the metaphorical spinach in their teeth or the friend that has to point it out, timely and accurate feedback is a gift. It is vital information about how people perceive us and what is limiting our success.

Armed with the spinach anecdote, you are ready to receive feedback! This is where the real work begins. You still need to encourage your people to share their thoughts and experiences with you…

 

Communication is a two-way street

Too often, cyber security feels like a one-way street of communication. People might be struggling with issues in silence. They might feel like discussions only happen when something has gone wrong.

Creating content, delivering it, and checking the box that it’s done isn’t how you build a resilient security culture. Delivering security awareness content that supports people does. This starts with finding out what they like and what they don’t like.

This will make your security awareness program stronger and more effective. And people are more likely to engage with campaigns if they feel like they’ve helped to shape them. Ownership. It’s a powerful motivator.

 

Quick and painless

We all hate doing things that make our job harder. So it’s no surprise people avoid difficult and bothersome security controls. A big part of developing security strategy is communicating with the people, to find out what does and doesn’t work. 

There are usually two main ways to collect feedback – surveys and interviews. Both methods have pros and cons. Interviews provide in-depth information on employee experiences but aren’t scalable. Surveys have the advantage of scalability as they’re easy to collect, but they need widespread employee participation and engagement. 

Plus, survey fatigue is a real thing! It’s where an organisation overwhelms employees with interviews and surveys. People start to disengage from a training program and provide incomplete answers to get the assessment out of the way.

Survey fatigue leads to inaccurate responses to assessments or surveys. It also causes employee dissatisfaction. This is particularly important when it comes to staying safe online. All it takes is one person making a tiny mistake to go from a secure organisation to dealing with a data breach!

Demotivation can be minimised by reducing the time surveys take to complete. Another often overlooked way to reduce friction is to integrate feedback directly into your cyber security tools.

 

Introducing “Insights”

The CybSafe platform harnesses the power of real time feedback in its “Insights” tool. 

Insights is a direct communication line to your people. It takes the form of an easily-accessible widget embedded into the CybSafe platform. At key points in the CybSafe experience, people are asked to share their thoughts with administrators.

They’re able to share:

  • General comments
  • Requests for help with security issues
  • And feedback about when security measures are preventing them from doing their job

Feedback is sent to administrators who can respond quickly and directly through the platform. It’s nested within the Culture reports page. Here, you can see people’s feedback alongside other security culture metrics from the CybSafe culture survey and sentiment analysis engine.

Making it as easy as possible for people to provide feedback on your security campaigns is an easy win. Through feedback, you can find out why people don’t follow security controls. You can use this feedback to create the best possible people-centric security strategy. Your people trust you are listening to them and value their thoughts. Win-win!

 

Time to take action 

Collecting feedback is the first step. What you do with it generates impact. Depending on the type of feedback you receive, you can respond in many ways.

Imagine people at your organisation share that they can’t remember all their passwords. Introducing a password manager is an appropriate, data-driven response.

If you notice a pattern in feedback, think about how you can create a long term solution. For example, a number of people reach out to you saying they don’t know who to go to when reporting security incidents. How might you make this information readily available and easy to find? 

On the CybSafe platform, we’ve integrated Insights into our Assist feature. This allows people to reach out to administrators for help if they can’t find what they’re looking for. You’ll know the exact topics that are missing and you can fill any gaps in content using custom Assist entries. 

Let’s take a look at this integration in action:

 

Keep lines of communication open

Healthy cyber security culture needs open lines of communication and employee feedback. This doesn’t mean people only hear from the security team when they have made a mistake. Communication should be two-way. People should play an active role in keeping themselves and their organisation safe. 

There are only so many people working in cyber security. But if you empower everyone, you have dozens or even hundreds of eyes on the ground. Cybersecurity is the ultimate team sport, and everyone should feel part of the team.

Find out more about how you can put people at the heart of your cyber resilience strategy by downloading our free ebook on People Centric Cyber Security

Try it yourself or see it in action