Building security into the framework of an organization prevents security from being seen as a barrier to daily activities. If an employee feels as if a security measure is inhibiting them from completing their daily tasks, they’re far more likely to find a way around that measure. This can range from propping open a door to using the same easy-to-remember password for every account.

These seemingly small acts can multiply, making it easy for threat actors to attack an organization. Maybe a former employee finds that their door code still allows them into the building. Or a password is easily accessible information, such as a wedding anniversary or publicly-shared birthday. Perhaps an outdated video management system (VMS) is allowed to remain because there “hasn’t been an incident”.

Courtney Hans, Vice President of Cyber Services at ANV, shares her top five tips for building a security-first organization.

1. Understand the business. Lead your conversations with curiosity.

Security professionals should lead with curiosity. Take the time to understand operational goals and workflows, everyday points of friction (related to security or not), and motivations for the departments and teams within your organization. This isn’t a one and done activity, but an ongoing dialogue, and one that is critical for the next step.

2. Be an ally, not an adversary. Help the business accomplish its objectives.

Make their objectives your objectives. Help the business accomplish its goals with security, not despite it. When your colleagues realize you’re on the same team, the same side of the table, so to speak, you’ll get brought in earlier and more often. This ensures security will be included in strategic priorities.

 If an employee feels as if a security measure is inhibiting them from completing their daily tasks, they’re far more likely to find a way around that measure.

3. Be approachable (don’t become the “Department of No”).

Too often security teams get labeled the “Department of No.” If your colleagues expect objection and a lecture every time they have a conversation with you, they’ll find ways to work around you, and your shadow IT concerns will grow exponentially. Be approachable, speak to their level of understanding (e.g. either explain or avoid acronyms) and check (kindly!) for understanding. Discuss risk in business terms and tell real, relatable stories that are relevant to your audience

4. Be an enabler, not an obstacle.

Be an enabler, not an obstacle. Security and convenience don’t often co-exist, but there are a few notable exceptions (password managers, Single Sign-On (SSO)). Security culture collapses when processes are painful, so simplify where you can.

5. Praise publicly, criticize privately. Reward good security behavior.

This isn’t new advice for leaders by any means. Offer sincere, public praise for secure-by-design team decisions. Celebrate the employee that reported a concern to the security team. Encourage cross-functional leaders to do the same, demonstrating that security is a part of everyone’s job.