Transcript of interview with Typical Employee

Training

Operational Security

Data Security

Auditor: I’d like to understand the security culture from an individual contributor perspective. In your experience, how well does security awareness permeate through the organisation?

Employee: I think there is pretty strong top-down emphasis on security here. Training reminds us of policies and best practices. Managers also enforce secure behaviour through oversight.

Auditor: That’s great to hear. And do you feel empowered to identify and raise security concerns or incidents?

Employee: Yes absolutely. The open door policy with leadership makes it comfortable to voice concerns. I know reporting mechanisms exist anonymously also without fear of retaliation.

Auditor: Excellent. From your interactions, do IT and security teams solicit feedback to improve controls and experiences?

systems. I’ve also been involved in focus groups to assess new controls before Employee: Occasionally surveys request input and feedback on policies and rollout, which I appreciate.

Auditor: That’s good collaboration. Lastly, are there any gaps you perceive in security practices either at an organisational or individual level?

Employee: Potentially improved security for our WiFi networks and guest policies. Other than that, I think continuous training and awareness smooths any rough edges in employee behaviour over time.

Auditor: What tools or systems do you use daily that are critical for your productivity?

messaging are hugely important for communication. The VPN for remote access Employee: The ERP system for managing orders and inventory. Email and instant enables working from home.

Auditor: Have you noticed any recurring operational challenges related to security controls?

Employee: The VPN can be slow during peak usage times, likely due to the MFA requirements. Other than minor annoyances like that, no major issues come to mind.

Auditor: Are there any areas of the business more reluctant to adopt security best practices in your experience?

Employee: Generally no - company-wide training sets consistent expectations. Sales teams tend to push back more when securityprocesses impact deals, but compliance is still mandated.