Four ways to build a culture of security
When training and testing are not enough, look deep and change the culture.
No company wants to be the next data breach victim on the front page of The New York Times. But when phishing was fingered in 90 percent of the incidents and breaches examined in the 2017 Verizon Data Breach Investigations Report, some CISOs may want to throw up their hands in defeat. How do you stop the human error? How much training is needed?
Maybe the long-view question should instead be: “Do we have a culture of security?”
Successful security must not only be built into software and systems and processes. It must also be part of the fabric of an organization and how its people think, create, and connect. And while still critical, it’s no longer enough to simply do new employee trainings. At CA, we’ve taken this credo to heart.
4 ways to instill a security-centric culture:
1. Build your culture change on a solid foundation
The most important step that companies can take is to build your culture change on a solid foundation of good policies. These need to be security policies customized to what you really want people to do, and not just paperweight.
The policies need to be written and delivered in a way that is realistic for people to read and understand, and also as a quick reference in any given situation. These policies are critical not only to ensure your company is protected, but also in building trust among your customers and partners.
At CA, we created five short, focused policy documents on different aspects of information security. We based these on the NIST Cybersecurity Framework and use the information security functions listed in the framework as the foundation for each document.
2. Make sure everyone is on the same page
Once you have policies in place, you need to share them with the entire company. I’ve found that your marketing and communications team can be a big help in finding creative ways to spread the word about new security policies. Unfortunately, too many companies have someone in the compliance department who leads these efforts — this needs to change.
Too many of today’s trainings are focused on temporary memorization of a small set of activities. Let’s make it fun.
At CA, we use training games, engaging guest speakers, and regular newsletters full of best practices to help make learning about information security interesting and reduce the potential for complacency among employees. We also do extensive testing. And if there are repeated failures of the tests, we require additional training. Finally, to help combat phishing attacks we have started to include a notification that emails are coming from sources outside the company.
3. Bring it home
One of the best things a corporate security team can do to improve the culture of security is to provide tools for people to use not only at work, but also at home. With our mobile workforce, providing security tools while they are on the go or including advice for protecting home activities in the security newsletter really extends the message and may help make some of the greatest progress in building good security habits.
4. Accountability top-to-bottom
Company leadership needs to be ready to back up the security team when there are policy violations. In today’s sophisticated threat environment, you can expect that someone will violate compliance with company security policies, intentionally or not.
Leaders need to be part of the security-aware culture, and need to be especially careful in following company policies. Their actions in this area will be watched closely, and if the executives show that they don’t consider the company security policies important, few of their employees will.
A culture of security needs to be not only about policy but also action. At CA, we are committed to building security into everything that we do, from software and solution development to hiring and promoting our employees. We hope you’ll join us in this journey.