Lessons from IKEA for Cybersecurity Leaders
With two children having gone through college dorm rooms to apartments to now growing their own places, I have earned the equivalent of a Ph.D. in assembling IKEA furniture. With each new piece I have built together with them, my admiration for the Swedish furniture giant has grown. I think IKEA products provide a masterclass in meticulous design, communication, and support that cybersecurity leaders can learn from and apply to their programs.
One of IKEA's core strengths is “democratizing design” – making good products accessible to everyone. Similarly, cybersecurity leaders should think about how they can democratize security to empower everyone in the organization to participate. One of my goals when I was a CISO was to have every person in the organization feel they were a deputy security officer and take ownership of security. Steps a leader can take to democratize security in that way include:
Sweat the details in design and testing: Just as IKEA invests heavily in design, engineering, and testing to ensure functionality and ease of assembly of their products, cybersecurity leaders can mirror that approach through threat modeling, architecture, and testing.
Identify your critical assets and understand potential threats and vulnerabilities.
Design your security controls architecture with precision to align with the risks, and incorporate multiple layers of defenses to protect the organization’s crown jewels.
Rigorously test the processes through internal and independent audits, penetration testing and other assessments, and tabletop exercises to identify areas for improvement.
Provide clear guidance and easy to use tools: IKEA assembly manuals use simple, intuitive diagrams and words that break down a daunting assembly into easy-to-follow steps. Cyber leaders should scrub their communications of technical jargon and communicate with straightforward language, simple graphics, and examples that can get their points across to everyone.
Most IKEA furniture is assembled with nothing more than a screwdriver, hammer, and their trademark Allen wrenches. Similarly, security processes, tools, and actions we want the workforce to utilize should be intuitive and user-friendly. Want colleagues to use strong passwords – provide clear guidelines and examples that tell them exactly how to do it, and a self-service password reset portal that makes it easy. Want them to report suspicious emails – put an icon they can click to report an email in their inbox menu and provide regular reminders that it is there and why it helps protect the organization.
Support as a partner: When I was an IKEA rookie, I once got stuck building a bookcase, and they stood behind their product and worked with me to get it right – even though it was my mistake and not theirs. Workforce members need that same kind of partnership from their cybersecurity team. Not gotchas - where they fear getting in trouble for a mistake but support via communications and dialog. Building that kind of relationship takes time and effort - getting out to meet with people across the organization, listening to them, and making that openness the culture of your team.
For example, in my last role we rolled out a new email retention rule, where emails greater than a certain length of time would be automatically deleted. When we communicated the plan and implementation deadline, we immediately heard back from several departments that the new rule would be a significant hardship in their work. So, we collaborated with each of them to develop an alternative approach. Being open to feedback can help you find the right mark.
Just as IKEA tries to empower their customers to take ownership of their projects, security leaders can foster a culture of ownership, where every employee understands their role in protecting the company. Getting there means meticulous attention to your design, clearly communicating the expectations, and collaborating with leaders and staff to support their implementation.
Like a well-designed and packaged bookshelf kit, a well-crafted cybersecurity program enables users in your organization to work with confidence knowing they are helping protect your organization. You do not even need glue!
Hold Fast!
Stay True!
Great analogy Paul. These are great. Congratulations.