by Todd Thibodeaux

6 steps to creating a culture of security ownership

Oct 31, 2016
IT LeadershipSecurity

Technology touches all employees within an organization, not just those in the IT department. Security should be no different, with a commitment that permeates from the top on down.

green illustration of man and cybersecurity icons
Credit: Thinkstock

The state of corporate cybersecurity is anything but static. With the list of potential threats diversifying, the stakes are high for securing company systems and data. As the average cost of a data breach grows (currently estimated at $4 million), business leaders’ appetite for risk lessens. And yet fewer than half of information security professionals feel that their company’s defenses are completely up to par, according to our research at CompTIA.

Contrary to what some business leaders may believe, protecting your organization’s infrastructure and intellectual property doesn’t start with investing in a firewall. It starts with embedding cybersecurity into your company culture. Technology touches all employees within an organization, not just those in the IT department. Security should be no different, with a commitment that permeates from the top on down.

Here are six steps that can help set the tone for a more vigilant, accountable workforce:

  1. Rethink your C-suite structure: It’s one thing to create a Chief Security or Information Security Officer role, but who that person reports to can influence your organization’s security approach. By letting your top security leader report directly to the CEO, they benefit from greater visibility into company operations and decision making. It also sends a clear message throughout the organization that cybersecurity isn’t isolated to the IT department.
  2. Prioritize end user literacy: Though many IT professionals feel their organizations’ employees have a solid grasp on security, research and real-life incidents tell a different story. Globally, more than half of organizations report that human error is a major contributor to security breaches and related incidents. The root problem is a lack of end-user awareness. “Cybersecurity 101” sessions during new employee onboarding aren’t enough to instill sound habits. Business leaders must demonstrate their buy-in for robust end user training — from ongoing e-learning courses to simulated phishing exercises — and back it up with the resources to fund it.
  3. Establish the right metrics: One of the biggest challenges to implementing new initiatives is overcoming the belief that current strategies and resources are “good enough.” IT and security executives can and should do more to ensure that their organizations’ defense protocol is rooted in facts, not feeling. Partnering with third-party experts, they can develop ways to gauge the efficacy of their current security efforts, and measure them against industry standards.
  4. Unite business and technology processes: Elevating cybersecurity to a department-agnostic issue goes beyond deploying data loss prevention or identity access management solutions. It involves formalizing new processes (and updating existing ones) through a combined business and IT lens. Risk and compliance management, new vendor selection and end user security training can’t be practices that IT departments outline and impose on their colleagues. Line of business leaders must be equally involved in shaping these policies to ensure they’re enforced and effective.
  5. Promote a new outlook for security spending: Security comprises a single slice of the IT budget, one business leaders historically viewed as something to be contained, investing only when necessary in times of real or looming crisis. Organizations striving to foster a culture of security need more proactive stances toward their strategy and spending. This means positioning cybersecurity as an investment opportunity, not a reluctant line item.
  6. Incentivize accountability: Rallying support for new policies and promoting cybersecurity awareness can easily be met with resistance and shoulder shrugs, so organizations must get creative. Offering perks for departments or teams that collectively participate in the most security education opportunities can motivate non-technical staff to take security seriously. Likewise, employees who offer new security ideas, or call attention to possible security flaws, should also receive company wide recognition to encourage similar initiative across the organization.

Organizations are only as secure as their weakest password, governance process or end-user habit. When executives treat cybersecurity as a corporate principle rather than an IT duty, all employees have a reason to support the cause.