Jerry Gamblin has a question he wants security managers to ask employees throughout their organizations: Why is our data worth protecting?
"Go ahead — survey a few co-workers with this question," says Gamblin, a principal security engineer with Kenna Security, as he plants his tongue firmly in his cheek. "Were you satisfied with the answers? Did they understand clearly what data your organization collects and why it's important to protect it?"
Ay, and there's the rub. The lament of so many CISOs and security managers around the globe is this: While the organization may claim to care about security, do those within it understand why? Do they know what is truly at stake should a breach or security incident occur?
October is National Cybersecurity Awareness month. While any security leader worth his or her salt will say awareness is an effort that should be year-round and continuous, every October offers security departments their time in the sun to crow about the importance of employee awareness and education. This, in and of itself, reveals security is now a priority for business.
"When I first started talking about security many years ago, employees looked at it is as a 'work' thing – something that was done by the IT people who wanted to make sure the company's systems didn't break," says Roland Cloutier, corporate vice president and chief security officer at ADP. "Training was almost nonexistent, and security was seen as optional."
But not anymore. Gone are the days when security was seen as an IT function. Employees typically know security is much more. But in order to instill a true understanding of security throughout, CISOs need to focus on building a security culture. Veteran CISOs will tell you there are effective ways to get this done and, um, less-than-effective ways, too (think: shaming). But more on that later.
Back to Basics
According to Gamblin, step one of building a security culture is to start with a basic PowerPoint about corporate data policies and procedures. At least then people will understand what they're protecting – and why.
This presentation, he says, should include "why you collect the data, why it's important that it's collected, and what could happen if the data were stolen. Once everyone in the organization has a clear understanding of this, the security culture will grow organically," he says.
We know from plenty of studies that end-user error leads to the majority of security incidents in organizations. We also know that despite best intentions, people make mistakes. Training is important in helping them recognize threats and understand that recognizing risk is everyone's responsibility.
"Require employees to take engaging and continuous security training that both educates them on your company's security policies but also sets a tone that security is important to the company and its leadership," Cloutier says. "This can be done by email, blogs, intranet postings – anywhere employees are looking. The tone should be light, engaging, and focused on storytelling."
The training you offer should be about more than why it is important to protect corporate data and intellectual property. Jill Knesek, chief security officer at Cheetah Digital and formerly the CISO at Mattel, says the information needs to be relevant to personal lives in order to get employees to take notice.
"Once your employees start thinking about security at work and home, it will become second nature and will increase the possibility that your employee makes the right decision when they get a malicious phishing email," she says.
Of course, sometimes when employees do things that cause a breach, they aren't mistakes. Malicious insiders are a massive problem for security. Verizon's Insider Threat report finds the top motivations of malicious insiders are financial gain, fun, and espionage. But most employees want to do the right thing, and ADP's Cloutier advises giving them the tools to take security into their own hands if needed and report suspicious activity.
"Implement an easy, user-friendly way for employees to report incidents to the security organization without fear of repercussion," he says. "If employees feel that the security organization is there to help them and protect them, they will be more likely to report incidents as they arise. You can do this by setting up a website, offering a toll-free phone number, or even having an app that is right on their mobile device. "
Championing the Cause of Security
An emerging concept in companies that are serious about security is the "security champion" program. In some companies, a security champion serves as the voice of the developer on security issues. But many organizations are also designating champions throughout the business. The champion takes on the responsibility of acting as the primary advocate for security within a team, acting as a first line of defense for security issues.
Lena Smart, CISO with MongoDB, is building a security champion program with interested employees eager to help with security posture.
"We have volunteers from many teams, globally, who are willing to become the 'security champion' for their group," Smart says. "This includes the opportunity to meet directly with security leadership on best practices and to incorporate those security practices within their particular business unit."
The volunteers already have an interest in security, and their outside perspective helps diversify the security organization, Smart says. They act as a conduit between internal teams to help break down silos, while shifting security to a shared goal. This fosters the attitude that security is an organization-wide responsibility.
Create a No-Shame Zone
As noted earlier, employees are going to make mistakes. Negative reactions will get you nowhere.
"Trying to force change by lecturing and shaming people on their security or lack thereof will rarely elicit the changes you want," Smart says. "Instead, make security a shar ed focus by inviting all departments into the security organization."
Cloutier agrees, and in his long career has come to understand how ineffective shaming is for building a security culture.
"The biggest lesson I've learned is that pushing policies and punishing people for making mistakes never works," he says.
Keep the education engaging, interesting – and fun, he advises.
Yes, fun. The security department can have fun sometimes. In part two of our look at building security culture, we will talk to some CISOs who believe the key to building security culture is through soft skills – and by making the security department "lovable." Who knew security could be warm and cuddly?
- 'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training
- You Gotta Reach 'Em to Teach 'Em
- Disarming Employee Weaponization
- Securing DevOps Is About People and Culture
(Image: arthead via Adobe Stock)