Encourage innovation and risk taking
Create a culture where calculated risks are rewarded, even if they lead to failures sometimes. One way to do that is to implement “innovation time” by setting aside time (say, 5-10% of work hours) for experimentation or improving daily work. Once you continuously require your people to think about and act on improvements, you can see the results quite literally.
For risk taking, ensure people understand this doesn’t mean taking just any security risk, but instead encourage them to calculate security risk versus benefits (impact) and likelihoods, and to present — or when fully empowered, to act on — their findings. For example, At risk: $100,000; potential win of $500,000. Likelihood to win 0.5? Then take the risk. Contrary example: At risk: $500,000. Potential win: $100,000. Likelihood to win > 0.5? Choose not to take this security risk without additional controls and preparations.
Supply necessary resources
Ensure team members have access to the right tools, technology, and support systems. This could mean providing better software, more budget, or cross-departmental collaboration to remove barriers to success. I have teamed in the past with IT, OT, engineering, T&D, legal, HR, compliance, and even sales and marketing to get things over the “budget hump” — shared wins and shared successes will enable strong corporate culture and strong trust relationships.
