Security is constant. It’s fast-paced with a high burnout rate, and many companies continue to struggle with implementing basic security controls. Given the overwhelming reality of resources and time that are already being dedicated to a company’s security strategy, how can organizations begin to build security into a company’s DNA in a realistic way?
While it may seem onerous or unrealistic to some, it is possible to create more than a cyber-aware culture. Changing the fabric of a company’s DNA is more than just a Pollyanna goal, it’s a necessary reality. But it will take time and leadership buy-in. The very basic building blocks require a shift in the way companies think about accountability. It starts with making everyone in the organization responsible for cybersecurity.
Let’s be clear that there is a difference between corporate culture and a company’s DNA. The DNA encompassing everything that relates to the very fibers of the organization. All those aspects of the company that we don’t think about it. When we talk about building cyber into the company DNA, we want it to be part of the normal day-to-day operations. Security needs to be part of what we are investing into the organization and people throughout the year. So that limited resources of time and money never diminish the way the company values security, it must be part of the corporate development life cycle.
When security is a part of the profit and loss statement, it inherently becomes a priority of the company’s goals. These are the ideas and behaviors we need to be going after in order to make security a priority for the organization.
So, what are some realistic steps you can take today? Here are a few ways to rebuild a company’s DNA and make a real difference in the way employees, the C-Suite, and the board value security.
- Have a security team. Whether you have the resources to have an internal team or you need to outsource, there are options available within your budget. But you have to first take security seriously enough to recognize that you need a security team. When building the team, it’s also important to define what security even mean to the organization. What types of IP risks do you have on hand? How would a data leak impact the business? In addition to potential financial losses, you also have to consider the cost of your reputation. Take the time to answer these questions and reflect on what it will mean if you don’t value security. Think about what it will mean to customers if you don’t have security.
- Craft measurable goals. One measurable goal that any organization can set today is to reduce the number of threats or phishing attacks. That’s something that with full transparency, the whole company can see and track. Set goals that tie back to the employees so that they can understand security and how their behavior impacts the organization. Measure month over month to determine whether the training is helping, and if you find that people are constantly clicking in phishing exercises, do something else. Employees need to intrinsically be thinking about what they do day in and day out and how their actions meet the goals of the organization. Internal acts cause breaches, but teaching employees to think about security at the office or at home will reduce the ways in which they potentially expose the organization to nefarious actors.
- Start security at the on-boarding process. Security training isn’t a one and done exercise. Rather, effective security training happens throughout the entire year. There should not be a month that goes by where you can’t show your employees how they are doing. If they are shy of the goals, then offer mitigation steps to correct actions. Harness and leverage every single employee in the company because security in not only the responsibility of the CISO or security team. It’s every single employee, from the janitor to the head of finance. And you can’t be successful without every employee, so continually invest in them and tailor the training to them by eliminating the fear of being fired for making a mistake. Remove the fear and educate them.
- Create extensions to the security team. Call them liaisons, advocates, champions. Whichever label you choose, make sure that you are using and harnessing the strengths of all of the employees. There is a global problem that they are trying to solve, which can happen if each team across the organization has a security advocate whose goal is to get that message out. These security liaisons are available to answer questions or address concerns within their own departments. These extensions of the security team can be that right hand to help further, teach, promote and bring awareness.
As exciting as it is to meet your goals, it’s also important to remember that bad things are going to happen. Employees want to do the right thing and help, so leverage the teachable moments. This is where the employees are really going to learn and excel. You don’t want them to be scared to speak up, so don’t underestimate the motivating power of rewards to nurture open communication.
It’s time to move beyond the foolhardy assumption that it’s not going to happen to me. Like so many organizations, you may not know where to start because security is so complicated. Accept that you feel overwhelmed, but then take the small steps to make security in your organization a top priority. There is no advantage to keeping security segmented into one particular area, fomenting this internal challenge that positions security as someone else’s job.
Of course, without buy-in and unyielding support from the C-suite and board of directors, it doesn’t work. This is a disruptive type of change, and to foster it needs a lot of top-level support. To nurture that, the CEO has to be out front with the bull horn. If that isn’t happening, security will be an uphill battle.