One of the biggest atrocities I see come from security leadership in some organizations is neglecting to thoroughly investigate and, in return to the reporter, provide context on what was discovered.
If an employee discloses a report of unnecessary access to data, for example, and you agree that, in fact, the report is correct and a gap is closed, you best celebrate that employee publicly. What a tremendous green flag to your security culture where employees are taking time to actually help defend the company. Make damn sure you return the favor. See my note on “Bug bounty program” and focus on the internal aspect for more.
If reports are either ignored or not celebrated, can you expect that behavior to continue? Send some cash their way! Your company's “recognition points” spent on swag are not changing anything. Sorry to tell ya.
Additionally, apoint a liaison for disclosures to ensure reporters are not retaliated against or ignored. Often reporters will have little to no technical ability, but more importantly, will almost always allow themselves to be gaslighted. The liaison's job is to ensure a technical leader can't just say something like: “unfortunately there's nothing we can do to reduce that risk, its a vendor problem and were waiting for a fix,” or “yeah we already know about that and it's not that severe.”
The liaison also will ensure the discloser feels safe and appreciated while uncovering a technical failure. If you're allowing your cyber security operations center to field all disclosures independently, do I need to spell out what sometimes happens when a risk is uncovered that is their fault for existing?
Gaslighting is a form of psychological manipulation where the goal is to make someone question their reality. Here’s how this might look in a cybersecurity context:
Gaslighting in this context can create a toxic work environment, leading to stress and anxiety, and can prevent legitimate cybersecurity threats from being uncovered and disclosed, or worse, could result in exploitation instead of disclosure. Protect your most secure minded staff, and they will protect your company.