Why 'psychological safety' is so important for building a robust security culture

Psychological safety concept art showing colorful human heads merged in a row on soothing yellow-colored background.
(Image credit: Getty Images)

Fostering a culture of psychological safety for staff should be a critical focus for CISO's aiming to bolster cyber resilience, security experts have told ITPro.

This call to action came during a fireside chat at Ignite on Tour in London which saw BAE systems global CISO Dr Mary Haigh and Darren Curley, CTO at National Gas, join Palo Alto Networks CEO Helmut Reisinger to discuss their priorities for bolstering organizational security in 2024.

All three raised the importance of culture in fostering clear quick communication between security professionals and broader teams in the event of a breach or after the discovery of a vulnerability.

Speaking to ITPro, CTO at Palo Alto Networks, Haider Pasha said the culture side of cyber security is both a significant hurdle for enterprises looking to improve their security posture, but also an area CISO's are particularly focused on changing.

“[Culture] is (a) a massive challenge and (b) it is absolutely something that companies, specifically the CISO’s, are trying to change in the organization”

The reason CISO's are so eager to evolve attitudes towards cyber security, according to Pasha, is down to the fact that security was not a priority for businesses until relatively recently. 

“If you look at history, cyber security was never really a top priority for organizations even five years ago. It’s only when we started digitizing and we started looking at the unintended consequences of digitizing such as cyber attacks is when the CISO actually got a seat at the table.”

As a result, enterprises need to uproot legacy attitudes, Pasha said. This critical business function has often been viewed as an afterthought among executives, with security regarded as something that is the sole responsibility of the CISO and security practitioners. 

“It comes back to culture, what the CISO is trying to change is to explain to the board that cyber security is everyone’s job, and that’s a culture shift, it’s a mindset shift.”

Psychological safety creates well functioning security teams

Dr Haigh expressed a similar sentiment, explaining that the lack of technical understanding at board level means security professionals can choose to withhold information pertaining to issues they could potentially be blamed for.

“Our boards are not full of people who are digitally fluent and understand cyber security, so they don’t always ask the right questions. It’s really easy for us to hide and not raise up the issues, you’ve seen CISO's starting to be prosecuted for it.”

The key here, according to Haigh, is to work on improving the security culture across an enterprise where staff not only have the sense to report incidents that could expose mistakes on their end, but also are empowered to do so without fearing professional repercussions.

“The moral compass that’s got to exist within the teams to raise up the right issue when no one is looking is absolutely essential, and that’s about really good leadership skills and building psychological safety into the teams so they know when they raise an issue, when they show a dashboard that isn’t all green nobody’s going to throw it out and go ‘I can’t show that’,” Haigh argued.

Psychological safety refers to an employee’s perception of the negative consequences attached to taking an interpersonal risk in the workplace.

This concept is particularly relevant to security as the impact of a breach is often disastrous for enterprises. New research indicates cyber attacks are getting quicker and costlier, and the costs are not limited to damage caused by hackers.

In Check Point’s annual security report, global CISO and C-suite advisor Deryck Mitchelson predicted that 2024 would be defined by a surge in class action lawsuits over security incidents.

“Organizations will continue to see a surge in cyber attacks and data breaches, resulting in an explosion of class action lawsuits and litigation that could negatively affect CISOs.”

As a result, the pressure on all staff to prevent these security incidents is ratcheted up, and this pressure only grows in the context of critical infrastructure organizations.

During the discussion on stage, Curley outlined the serious consequences an outage can cause in an organization like his.

“If one of our key pipelines had some sort of problem and oxygen was introduced into it, for a city the size of Birmingham it would take two years to get the gas back on,” he explained.

“The blast radius for one of [our] compression stations would be two kilometers, so it makes you think about all things in a very careful, considered way.”

As such, he emphasized the importance of ensuring security teams are communicating freely, noting that a company’s security posture cannot improve without a certain level of trust and accountability across the enterprise.

“One of our key mantras is psychological safety, without people being able to raise their hand, either on the operational side of our business or on the cyber side and say ‘this is wrong and we need to do something about it’, you never get better at what you do.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.