Security team

Without trust, your security team is dead in the water

The increase in cyberattacks and data breaches has increased the need for strong security that works in any type of business. But for any change in an organization, buy-in is key.

Airwallex IT and Information Security Manager Elliot Colquhoun explains that from a security perspective, organizations tend to over-examine security controls, such as those implemented by a provider or implemented in their own environments.

“This is a useful lens for business as usual, however, security professionals should broaden their assessment to also include the human and often undervalued aspects of trust,” he says.

“Do your employees trust your security team? Do your customers have a positive perception of your security that has earned their trust?”

Colquhoun says employee and customer trust is a force multiplier for safety. At Airwallex, staff are generally passionate about privacy and understand the impact of security changes. Positive engagement is therefore essential.

“We have seen firsthand that the high level of trust among our employees translates into easier and more efficient implementation of changes and security controls. The impact of this extends to our customers – their increased confidence in our controls drives loyalty and wider adoption of our products,” he says.

Later, this positive brand image also becomes a differentiator and revenue multiplier. Companies get better customer access because they have the perception and brand to convince their internal security teams.

How can security managers build trust with employees and customers?

Trust is built on communication and transparency. Colquhoun advises companies to share what’s on their roadmap and openly discuss recent incidents or investigations. Focus on the impact of the changes they make and explain why they are needed.

“Recently, we implemented a VPN that performed TLS interception. Understandably, some employees were concerned about the privacy implications, especially for personal Internet browsing,” says Colquhoun.

To overcome these concerns, Airwallex took several steps to ensure its staff supported the goal, including:

1. Distribute an information sheet that helped explain privacy considerations in as simple language as possible
2. Wrote an internal blog post explaining why they were implementing these changes
3. Hold town hall meetings in each region, allowing employees to voice their concerns and the safety team to answer any questions.

“Transparency made our employees feel heard, which increased overall VPN adoption and onboarding. Some of our most cynical users became supporters who helped bring our VPN into the rules of firewalls for their service tools,” says Colquhoun.

“Transparency is equally important to your customers because it allows you to demonstrate the maturity and strength of your security program. It’s important to define perception before customers define it for you.”

“For example, we list our security certifications and security program details on the Airwallex Trust Center, an NDA-protected portal on our website. We also publish blogs – such as our team’s Medium page. engineers – and open source portions of our security infrastructure, with the goal of being transparent about our security program and sharing learnings with others in the industry.”

Integrating security into a corporate identity transforms the way its customers perceive its implementation – from simply reducing a pain point in the user experience to adding real value to the customer experience.

Traditional security engagement programs have turned into a tick box exercise

Increasingly stringent security awareness and vendor review requirements from regulators and partners have driven the need for a very specific engagement model. For employees, this is usually annual security awareness training. For customers, this is probably SOC2/ISO27001 or similar audited reports. Unfortunately, while these stringent requirements are the minimum acceptable controls for a regulator or partner, they often fail to drive meaningful engagement.

Colquhoun says if we’re being honest with ourselves, these checkbox exercises alone don’t represent the ever-evolving security program needed to protect against modern threats. Nor do they have the opportunity to highlight the significant and differentiated controls implemented by the security programs.

This is where a two-pronged approach can be most effective.

“At Airwallex, we build compliance-focused security awareness to meet regulations, with ‘behind the curtain’ awareness events to build trust and transparency,” he said.

“Each quarter we host an in-person session open to all staff; diving into some recent security investigations, giving our staff a better understanding of what the security team is working on and what kind of threats we are protecting against our business. This transparency leads to increased trust.”

Colquhoun says frequent communication and transparency are key when implementing a security program that prioritizes building trust. Therefore, when designing a program, companies should consider the following:

  • Do employees know what the security team’s roadmap is for the year?
  • Do employees know why different security controls are deployed and the risks and threats they aim to reduce?
  • What is your customer’s perception of your security?
  • How does this customer perception match the status of your security program?
  • Are you proactive or reactive in your communications?

In addition, a management team with a thorough understanding of the impact of security on the business and its operations is essential in determining the success of a security program. Engagement metrics, such as employee surveys measuring trust in your security team or increasing reported security events, are helpful in gaining management trust.

“All of these methods take time. While a relatively simple and effective addition to budgets and roadmaps, trust is not built overnight, but once earned, the return on investment is priceless,” concludes Colquhoun.