Far too often information security is treated like a necessary evil. Infosec does not generate revenue, there is no guarantee that a major breach will occur, and it costs a lot of money. We often observe that frequently companies do not take information security seriously until after a breach has already occurred. When executives and senior management hold such opinions it filters down through the culture of the company and makes the security problem more difficult to solve and leaves companies more vulnerable. The most secure companies are those in which the C-Suite sees the value of information security and seeks to build a strong information security culture.
Start with Why
There are few things that annoy staff more than having processes, procedures, or rules arbitrarily changed and made more stringent; thus making their jobs just slightly more difficult or inconvenient. In most cases security solutions you implement have the potential to cause such discontent and annoyance. In our experience, when companies seek to help their staff understand why employees can no longer, for example, use Dropbox or Google Drive, or why they now must have a 15-character pass phrase instead of the normal 8 with a little complexity, there is far less pushback. Even the most stubborn and begrudging employee comes around and accepts the changes.
Training and Awareness
One of the most effective ways to build a culture of security is to keep security in the back of your employees’ minds. Regular training and awareness events are excellent ways to accomplish this. A wise strategy is to conduct at least one information security event per month. Here are just a few ideas that you can employ:
1. Monthly Information Security Newsletter distributed via email
2. An annual robust and engaging information security training
3. Participate in National Cyber Security Awareness Month in October with multiple events
4. Conduct phishing tests carried out by a contracted 3rd party ever few months. Measure how many people fall prey, track improvements over time, and report back to all the staff
Hold Management Accountable
Executives who are serious about security and building a security culture are executives who will hold the management team accountable for failures or deficiencies in information security. One company who accomplishes this does so by requiring information security reports be included in each business lines’ monthly reports. When the CISO, who reports directly to the CEO, has specific improvements or mitigations that need to be made, it is not the responsibility of the InfoSec team to make such changes, rather each respective business line. If a particular computer did not get wiped and rebuilt after a malware infection, a security policy was not implemented, or staff were not completing mandatory training, it is reflected on the review of the particular manager whose team had the problem.
Even if you do not take this particular approach, find ways to ensure that leaders are held accountable to build security into their own particular sub-culture. However, do not forget the why. It is equally – if not more so – important for managers to understand the why behind security as it is for the regular employee.
Engage the Board of Directors
The Board of Directors (or your version of it) is really where building a security culture takes root. They contribute to business strategy, oversee – or at least have major influence on – spending, and are to whom the CEO is accountable. It is the responsibility of the CISO with the support of the CEO to raise information security awareness with the board. This builds support for security plans and strategies. It is critical that the board receive an information security update and metrics at each board meeting.
Building an information security culture across your organization is critical to having a security environment. Staff are more security aware in their day-to-day activities and are able to identify phishing attacks, management are held and hold their staff accountable for security, and the CISO is empowered with funding and support from the highest levels to implement valuable, real security solutions.
About Security On-Demand
Security On-Demand (SOD) provides 24×7 advanced cyber-threat detection services for mid-market companies and state or local government agencies. SOD’s patented, behavioral analytics technology platform, ThreatWatch® enables the detection of advanced threats that help protect brand value and reduce the risk of a data breach. Headquartered in San Diego, California with R&D offices in Warsaw Poland, SOD services and protects hundreds of brands globally and is the winner of multiple industry awards. Please visit us at www.securityondemand.com. Find us on LinkedIn and follow us on Twitter @SecurityOnDmand.