The importance of Psychological Safety in Cybersecurity

I recently completed my studies at the Luxembourg School of Business and began exploring how to incorporate my newfound knowledge into my field of work. Specifically, I've been considering the application of Psychological Safety principles in the realm of Cyber/Information Security. 

What is Psychological Safety ?

Psychological safety is a concept that refers to an individual's perception of the consequences of taking an interpersonal risk in a work environment. It involves feeling safe to express oneself without fear of negative consequences to self-image, status, or career. In a psychologically safe team, members feel accepted and respected. This environment allows for open communication, creativity, and innovation, as individuals feel comfortable sharing their ideas, questions, concerns, and mistakes without fear of ridicule or retribution.

Amy Edmonson - TED Talk (Building a psychologically safe workplace)
https://www.youtube.com/watch?v=LhoLuui9gX8

What Psychological Safety is NOT ?

Psychological safety at work is not about being nice or avoiding conflict. It doesn't mean that everyone agrees all the time or that performance standards are lowered. It's not a license for complacency or mediocrity, nor is it about providing unconditional positive feedback. 

Psychological safety is about creating an environment where people can speak up, share ideas, and take risks without fear of punishment or humiliation, while still maintaining high standards of performance and accountability.

Amy Edmonson 

Why is it particularly important in Cybersecurity ?

In cybersecurity, a blame culture can be prevalent due to the high stakes and issues often linked to human errors or faults. This environment can lead to a fear of reporting mistakes, reducing open communication and hindering the timely identification of security risks. 

Shifting from a blame culture to one that values psychological safety is crucial. It creates a setting where employees can report issues, learn from mistakes, and collectively enhance security measures, leading to a more resilient and effective cybersecurity strategy.

According to the article "Psychological Safety and Information Security" the phenomenon has even bigger implication, the article emphasizes that mistakes, often the cause of data breaches, are linked to a lack of psychological safety in organizations. The author Tom Geraghty, is stipulating hat this is part of the reason that a lot of data breaches are being covered up.

By fostering a blame-free culture where errors are seen as learning opportunities, psychological safety can improve performance and information security. The article advocates for creating an environment where employees feel empowered and safe to raise concerns and questions, which is key to enhancing both individual and organizational performance in the context of information security.

In the Podcast called "Creating psychological safety in cybersecurity" Andra Zaharia and Emma Wicks are agreeing with the above however go much further.

Psychological safety is not just a facilitator for better workplace dynamics but is crucial for effective cybersecurity.

My Summary

Below is my summary of why I believe psychological safety is important in Cybersecurity in particular and, if I am right, may even lessen the high rate of Burn out we see throughout the profession.

• Reporting Failures
  Studies have shown that trust and respect among team members lead to increased reporting of errors, as individuals feel more comfortable discussing failures (Edmondson, 1996). Continual growth and development are crucial in the field of cybersecurity (Dawson & Thomson, 2018), and a significant part of learning in this domain comes from understanding and analyzing these errors (Edmondson, 2019).
• Breaking the Silence
  If cybersecurity professionals don’t feel that they can speak up and share their knowledge won’t be passed on. Organizations lose out on valuable insights, teams lack candor, and employees feel unheard.
  
  
  
  
  
• In times of Crisis
  Psychological safety is pivotal during crises. It creates an environment where team members are open to sharing concerns, insights, and innovative solutions without fear of reprisal. This openness is essential in cybersecurity, where rapid response to threats and collaborative problem-solving are crucial. Leaders who promote psychological safety can more effectively manage crises, as their teams are more willing to provide crucial information and engage in creative thinking, enhancing the team's resilience and adaptability in high-stakes situations.
• Much to Fear, Ways to be Fearless
   In the context of cybersecurity and psychological safety, emphasizes the need to navigate the volatile, uncertain, complex, and ambiguous (VUCA) world of cybersecurity with a mindset of fearlessness. In this scenario, fostering psychological safety is key to empowering individuals and teams to confront and address these challenges without fear. By creating an environment of trust and open communication, where mistakes and vulnerabilities can be openly discussed and learned from, organizations can more effectively navigate the complexities and uncertainties inherent in cybersecurity, transforming fear into proactive and resilient security practices.
• Empathy and Understanding in Cybersecurity
  Cybersecurity goes beyond technology; it's about understanding and addressing the fears and motivations of people. Emphasizing empathy and creating positive experiences can significantly enhance cybersecurity efforts.
• The Role of Psychological Safety
  Creating a psychologically safe environment encourages open dialogue and admission of vulnerabilities, crucial for identifying and addressing security risks.
  
  
  

  

  Amy Edmonson (TED Talk)
   https://www.youtube.com/watch?v=LhoLuui9gX8

  
  
• Empathetic Leadership
  Leaders in cybersecurity need to adopt an empathetic approach, prioritizing understanding and supporting their teams and users. Those in cybersecurity who resonate with and practice empathy, compassion, and kindness often adhere more closely to their values and principles, setting positive examples for the community. Enhances Team Collaboration and Morale, Improves Problem-Solving and Innovation, Enhances Employee Retention and Job Satisfaction
• Acknowledging Imperfections in Practices
  Cybersecurity professionals also make mistakes, such as using weak passwords or skipping updates. Recognizing these imperfections fosters better self-awareness and empathy towards others facing similar challenges.
• Helps with diversity of perspectives and skills
  Integrating diverse perspectives, including communications and user experience, enhances the effectiveness and inclusiveness of cybersecurity.
• Normalizing Imperfection and Nuance
  Accepting imperfection and nuance as part of cybersecurity paves the way for a more compassionate and realistic approach to its challenges. Cultivating a Positive Security Culture encompasses building trust, fostering open communication, and promoting continuous learning and adaptation.
• Benefits for Businesses
  A positive security culture, underpinned by psychological safety, leads to enhanced threat detection, reduced insider threats, and a competitive advantage in attracting and retaining top talent.

Step by Step towards and Psychological Safe Cybersecurity Organisation

Step 1: Leadership Commitment

• Acknowledge the Importance: Leadership must recognize and communicate the importance of psychological safety in the workplace.
• Lead by example: Leaders should model the behaviors they wish to see, such as openness, empathy, and respect. Train (and require training) your managers on the principles established in the next steps.

Step 2: Establish Clear Values and Principles

• Define Core Values: Establish core values that include respect, integrity, and collaboration. Establish principles that enshrine those values and that employees can use as a guide.See " The Power of Aligning Values and Leadership Principles for Success"
• Communicate Expectations: Ensure everyone understands these values and the expectations around behaviour and communication. Consider embedding culture and behavioral components in your performance review cycles.

Step 3: Create Open Communication Channels

• Encourage Open Dialogue: Foster an environment where team members feel comfortable sharing their thoughts, ideas, and concerns.
  
  "Have Backbone - Disagree and Commit" - See "The Super power of the Disagree and Commit culture" :
  
  
• Regular Check-ins: Implement regular team meetings and one-on-one check-ins to discuss not just work-related issues but also any concerns team members might have. Create a safe place to talk

Step 4: Promote a Learning Culture

• Focus on Learning: Emphasize continuous learning and development, rather than penalizing mistakes.
  
  "Bias for action" - See https://www.fingerprintforsuccess.com/blog/bias-for-action
  
  
• Training and Development: Provide training on topics like emotional intelligence, communication skills, and conflict resolution.

Step 5: Develop Transparent Processes

• Clear Policies: Have clear, transparent policies and procedures for reporting and addressing issues.
• Feedback Mechanisms: Implement anonymous feedback tools to allow employees to express concerns safely. Have a zero tolerance policy against retaliation.

Step 6: Encourage Inclusivity and Diversity

• Diverse Teams: Build teams with diverse backgrounds to bring various perspectives.
• Inclusivity Training: Offer training and workshops on inclusivity and cultural competence.

Step 7: Support Employee Well-being

• Well-being Programs: Implement employee well-being programs, including mental health support.
• Work-life Balance: Encourage a healthy work-life balance with flexible working options.

Step 8: Normalize Vulnerability

• Lead by Example: Leaders should openly share challenges and learnings, showing vulnerability.
• Safe Space for Sharing: Create forums or meetings where sharing and learning from failures or mistakes is encouraged.
  
  "Earn Trust" - See "The Superpower of Earned Trust"
  
  "Learn and be curious" - See "The Superpower of Curiosity"

Step 9: Regularly Assess and Adapt

• Regular Assessments: Conduct regular surveys or assessments to gauge psychological safety levels.
• Continuous Improvement: Be open to feedback and continuously look for ways to improve the work environment.

Step 10: Implementing Feedback and Adjusting Strategies

• Action on Feedback: Actively implement changes based on feedback received. Build coacing program and continue including elements and mechanisms of Psychological safety in meetings, reviews and feedback.
• Adjust Strategies: Be willing to adjust strategies and approaches based on the evolving needs of the team and organization.

Further reading and Sources :

1. Building a Resilient Cybersecurity Workforce: A Multidisciplinary Solution to the Problem of High Turnover of Cybersecurity Analysts https://link-springer-com.proxy.bnl.lu/chapter/10.1007/978-3-031-20160-8_5
2. Stress, Burnout, and Security Fatigue in Cybersecurity: A Human Factors Problem https://sciendo.com/article/10.2478/hjbpa-2022-0003
3. Burnout in Information Security: The Case of Healthcare https://www.taylorfrancis.com/chapters/edit/10.4324/9781003348603-10/burnout-information-security-case-healthcare-mitch-parker
4. Information security burnout: Identification of sources and mitigating factors from security demands and resources https://www.sciencedirect.com/science/article/pii/S2214212618302692