Cybersecurity trends come and go, but one enduring trend among technology leaders is building a culture of security.
This strategy allows organizations to move from the once-a-year, "death-by-PowerPoint" security training to where employees willingly embrace security best practices, professionally and personally. Despite research showing that organizations with strong security cultures have more visibility into potential threats, reduced cyber incidents, and greater post-attack resilience, progress toward this important goal has been slow.
As an organization showcasing the Internet’s most popular trends, TikTok's global chief security officer Roland Cloutier was the perfect source to show how a leading technology company fosters a security culture at scale.
I spoke with Roland recently to discuss how his team is building a culture of security and how leaders can use security as a differentiator. Here's what he shared:
How are you and your team are building a culture of security and transparency?
People are the foundation of any organization, and security is a team sport. At TikTok, it doesn't matter if you're in content development, security, or on the business side, everybody is involved in cybersecurity. If you think about it that way, your employees truly are your first line of defense. To strengthen that defense, we're creating a culture where everyone knows the mission: to protect what's been called the last sunny corner of the Internet. It's not an easy job to protect over a billion people worldwide. But we're committed to teaching and empowering our people in innovative ways.
We do this in a fun, entertaining, and creative TikTok kind of way. For example, we've built video games internally to educate our employees on cybersecurity best practices. We regularly create @TikTokTips videos featuring team members and creators to inspire people to always #BeCyberSmart. We host an internal series called "Mission Possible," featuring cybersecurity practitioners and specialists on our team. We've hosted "lunch and learns" with outside partners like HackerOne, inviting our top ethical hackers to share their personal stories and what motivates them to help keep our community safe and secure. We're engaging people in ways they want to be engaged.
How do you encourage users to make the right security and privacy choices?
It starts with us as security professionals. At TikTok, we have a responsibility to the people who entrust us with their data as they turn to our platform to express themselves creatively, be entertained, and find joy. We take that duty extremely seriously. That's why we invest in our people, processes, technologies, and partnerships. A big part of this is how we engineer security and privacy by design and our "follow-the-sun approach" to managing the platform to ensure we always have people "on" and focused on security. Given the volume of videos that process through our platform, as creators upload content 24x7, and how our infrastructure has to operate … it’s truly incredible, and we focus on protecting that.
For our users, we're focused on educating them. We're putting tools in their hands that they can use on platforms to make smart decisions about their information privacy and security.
What advice would you give to security leaders on how to build that security culture with employees?
First, be transparent. People want to see what's behind the curtain, so show them. Show them all the work it takes and get them excited about what you do for them. The second thing is explaining how it impacts their business or their lives. I always use this analogy as a former cop: If you don't tell people that it's against the law to blow a stop sign, they're going to blow stop signs. If cybersecurity is not part of your organization's "laws," and you fail to educate people on why they don't want to do that, people will [run] stop signs. Take the time to explain why certain things are bad, and how it impacts them, their job, or the company's future.
What role does education play in all of this?
It's essential to not just be transparent, but be educational. Educate the entire organization on the values and the opportunities of cybersecurity, including how it helps us in existing markets, how it helps us bring things to market faster, and how it helps us to be able to compete in different markets where we couldn't before. Be that person. Talking to security leaders directly, you should think about security as a differentiator — things like converged security, where you can bring multiple disciplines under one hat. You can understand and be a true educator back to the business on how risk impacts the organization in totality.
To watch the full discussion from last year's Infosec Inspire event, click here.