TikTok's Roland Cloutier: How CISOs Can Foster a Culture of Security & TransparencyTikTok's Roland Cloutier: How CISOs Can Foster a Culture of Security & Transparency
The social media platform's global security chief boils it down to being consistent, keeping it fun, and demonstrating the impact of choices.
February 2, 2022
Cybersecurity trends come and go, but one enduring trend among technology leaders is building a culture of security.
This strategy allows organizations to move from the once-a-year, "death-by-PowerPoint" security training to where employees willingly embrace security best practices, professionally and personally. Despite research showing that organizations with strong security cultures have more visibility into potential threats, reduced cyber incidents, and greater post-attack resilience, progress toward this important goal has been slow.
As an organization showcasing the Internet’s most popular trends, TikTok's global chief security officer Roland Cloutier was the perfect source to show how a leading technology company fosters a security culture at scale.
I spoke with Roland recently to discuss how his team is building a culture of security and how leaders can use security as a differentiator. Here's what he shared:
How are you and your team are building a culture of security and transparency?
People are the foundation of any organization, and security is a team sport. At TikTok, it doesn't matter if you're in content development, security, or on the business side, everybody is involved in cybersecurity. If you think about it that way, your employees truly are your first line of defense. To strengthen that defense, we're creating a culture where everyone knows the mission: to protect what's been called the last sunny corner of the Internet. It's not an easy job to protect over a billion people worldwide. But we're committed to teaching and empowering our people in innovative ways.
We do this in a fun, entertaining, and creative TikTok kind of way. For example, we've built video games internally to educate our employees on cybersecurity best practices. We regularly create @TikTokTips videos featuring team members and creators to inspire people to always #BeCyberSmart. We host an internal series called "Mission Possible," featuring cybersecurity practitioners and specialists on our team. We've hosted "lunch and learns" with outside partners like HackerOne, inviting our top ethical hackers to share their personal stories and what motivates them to help keep our community safe and secure. We're engaging people in ways they want to be engaged.
How do you encourage users to make the right security and privacy choices?
It starts with us as security professionals. At TikTok, we have a responsibility to the people who entrust us with their data as they turn to our platform to express themselves creatively, be entertained, and find joy. We take that duty extremely seriously. That's why we invest in our people, processes, technologies, and partnerships. A big part of this is how we engineer security and privacy by design and our "follow-the-sun approach" to managing the platform to ensure we always have people "on" and focused on security. Given the volume of videos that process through our platform, as creators upload content 24x7, and how our infrastructure has to operate … it’s truly incredible, and we focus on protecting that.
For our users, we're focused on educating them. We're putting tools in their hands that they can use on platforms to make smart decisions about their information privacy and security.
What advice would you give to security leaders on how to build that security culture with employees?
First, be transparent. People want to see what's behind the curtain, so show them. Show them all the work it takes and get them excited about what you do for them. The second thing is explaining how it impacts their business or their lives. I always use this analogy as a former cop: If you don't tell people that it's against the law to blow a stop sign, they're going to blow stop signs. If cybersecurity is not part of your organization's "laws," and you fail to educate people on why they don't want to do that, people will [run] stop signs. Take the time to explain why certain things are bad, and how it impacts them, their job, or the company's future.
What role does education play in all of this?
It's essential to not just be transparent, but be educational. Educate the entire organization on the values and the opportunities of cybersecurity, including how it helps us in existing markets, how it helps us bring things to market faster, and how it helps us to be able to compete in different markets where we couldn't before. Be that person. Talking to security leaders directly, you should think about security as a differentiator — things like converged security, where you can bring multiple disciplines under one hat. You can understand and be a true educator back to the business on how risk impacts the organization in totality.
To watch the full discussion from last year's Infosec Inspire event, click here.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Quantifying the Gap Between Perceived Security and Comprehensive MITRE ATT&CK Coverage
The Evolving Ransomware Threat: What Business Leaders Should Know About Data Leakage
Managed Security and the 3rd Party Cyber Risk Opportunity Whitepaper