How can CISOs improve the employee experience?

As workers prioritize flexible work and learning opportunities, organizational leaders must focus on creating a positive employee experience.

This article was originally published on the Forbes Technology Council.

During the Great Resignation, attracting and retaining top talent is the responsibility of everyone in the C-suite—including the chief information security officer. As workers prioritize flexible work and learning opportunities over top salaries, organizational leaders must focus on creating a positive employee experience across every facet of the business.

The employee experience is the totality of an employee’s journey at a company, from interviewing to daily work life to exiting the company. People who report having a positive employee experience are 16 times more engaged and eight times more likely to want to stay with a company.

CISOs play a vital role in shaping the employee experience, but it’s an uphill battle. Employees see cybersecurity as a necessary evil that only impedes productivity. In fact, 23% of workers reported that following their organizational cybersecurity policies “very often” or “extremely often” impedes their ability to complete work.

By addressing the employee security experience, CISOs can help reduce turnover, boost productivity and accelerate growth while also strengthening the organization’s cyber risk and security posture. Here are five ways CISOs can improve the employee experience.

1. Develop security strategies for flexible work.

Recently, Airbnb was lauded for its hyper-flexible work policy while employees quit their jobs and lambasted companies that demanded a return to the office. If these are any indication of a larger trend, it’s that flexible work is here to stay.

However you define flexible work, one thing is clear: The days of every employee connecting to the corporate network at headquarters are over. Instead, CISOs must develop long-term security strategies that support a globally distributed workforce while ensuring that remote work experiences are similar to, if not better than, connecting to the central office.

To start, consider the employee experience across multiple scenarios, including while employees are traveling (nomadic work is rising), using public Wi-Fi or experiencing bandwidth congestion at home. Expect employees to be in situations in which they need to use a personal device for work or vice versa. Have conversations now with employees to understand and address their IT and security pain points surrounding flexible work.

2. Empower technology-savvy workers.

Today, workers are data-driven and tech-savvy. In fact, 1 in 5 workers view themselves as technology experts after the Covid-19 pandemic forced an increased reliance on digital collaboration tools and reduced access to in-person IT support.

The future of work is one that clears the way for individuals and teams to make autonomous data-driven decisions. CIOs have a clear mandate to equip the workforce with the data and technology they need—wherever and whenever they need it. CIOs are giving more budgetary and administrative control to business line managers, local IT teams and even individual employees, empowering them to adopt new SaaS and cloud technologies as needed.

Yet, this bottom-up approach faces headwinds of traditional cybersecurity governance, which blocks unsanctioned IT until it’s undergone a vendor security review and onboarded to centralized security controls. This disrupts productivity, frustrates employees and leads to shadowy workarounds.

Traditional “block and lock” approaches to security governance no longer reflect the current realities of modern work. CISOs must find new ways to empower tech-savvy workers without sacrificing security. It’s a difficult challenge for sure, but it’s possible.

3. Make security a sidecar for employees.

After onboarding, the first interaction an employee has with cybersecurity is usually when the employee makes a mistake, perhaps by falling for a phishing attack or using an unapproved file sharing service—after the damage is done.

CISOs try to prevent damage with more cybersecurity training. Yet, studies show that overexposure to cybersecurity training can actually lead to security fatigue and poor security outcomes. Instead of waiting until after a poor decision is made, make security a sidecar to the decision-making process.

Start by identifying all of the security-related decisions employees encounter. Ask: How would an employee know if this decision impacts security? If they had a question, would they know where to find an answer or whom to ask? How long would it take to get a response? Is that a reasonable time frame given the pace of productivity?

Identify subtle interventions that guide employees toward better decisions. Something as simple as keeping regular security office hours or creating a Slack channel can be a great start. Although it’s not feasible to handhold employees through every decision, this is where automation and AI can have an outsized impact.

4. Connect security to employees’ personal lives.

Many employees outside of the IT department reportedly fail to see a direct connection between the cybersecurity education they receive at work and its relevance to their everyday personal lives. As a CISO, you’re in a unique position to help employees connect the dots between cybersecurity at work and at home.

Consider augmenting security training with practical advice employees can share with friends and family. Host lunch-and-learns on relevant topics of cybersecurity, online privacy and internet safety. Consider social impact programs, such as organizing companywide activities on Safer Internet Day.

5. Build trust and transparency.

One of the surest ways to erode the employee experience is to “spy” on employees. Employees are increasingly concerned about privacy at work, and TikTok influencers are calling out “creepy” surveillance software.

Employees need to know how they’re being monitored and why. CISOs can shed light on security monitoring practices by enlisting other organizational leaders to help socialize information within their teams. Consider monitoring solutions that not only give the security operations center (SOC) visibility but also allow employees to see what personal data and activities the organization monitors. This can improve employee trust and transparency.

Creating a positive employee experience is key to a productive and engaged workforce, yet cybersecurity can be seen as a negative. CISOs must fix this. By improving the employee experience, CISOs can support business goals while also strengthening the organization’s cyber risk posture.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors