Making security part of the company culture
My years of experience managing security programs, across a broad spectrum of industries, has given me a greater understanding of how technology and people both play a critical role in influencing the overall security posture of any organization.
Having observed different cultures at organizations large and small and with widely varying security budgets, I have noticed one common denominator. Regardless of whether a company has hundreds of security professionals or has dedicated millions of dollars in security funding, I can say those companies are still very much as vulnerable to cyber attacks as the companies who have limited resources. The reason: People.
The great wall of China had a simple goal of keeping the bad guys out. To some extent, it was successful, standing the test of time across war. However, armies were able to penetrate the walls, because of people. Soldiers protected the walls. Invading armies would bribe security guards and walk right through. People were a weak link; and they continue to be a big factor today.
Companies are attacked all the time. When preventative security controls work, these attacks fail. Attackers have realized this, and more and more, people are used knowingly or unknowingly to bypass these controls and hence become inside threats. People may not contribute to every successful attack, but when they are used, the harm and damage often have a greater impact than every other attack combined.
When an organization focuses too much on technology, the result is a false sense of security with the focus then being project orientated. Build the wall, and we will be safe. However, as with any well-managed project, cost management strategies always win out, often leading to many technologies being purchased without proper operational impacts and personnel requirements being factored in. This can lead to technology being left on the shelf or not fully configured to its best potential.
To counter this, there needs to be a balance whereby technology and people work in tandem.
A culture change is also required and it starts with the CIO or CISO getting a commitment to transform the mindset of the top ranks of the company. I have seen firsthand the consequences of a major cyber attack caused because of issues relating to a company having the wrong security culture.
Like raising kids, it's about behavior change. There are many theories in child rearing, but one that I have applied with success is a combination of carrot and stick with reinforcement. The internal processes around this are simple. It starts with policies providing the rules. Most CISOs stop here. Or take these unknown policies and begin hitting people over the head on occasion when they are violated. A better approach is to make these policies living. Better yet, have other parts of the company - or employees - contribute to defining these policies. This gives people a sense of shared responsibility. From there, awareness is important, making sure people are aware of the policies.
Implementing monthly awareness campaigns would be a good start, but use internal, social media-like strategies to provide multiple channels. Publish the policies as blogs, giving personal context to the why, and allow people to comment. Word spreads fast, the next time there is an awareness article, people are now motivated to understand in hopes that during the next audit, they are rewarded.Without that level of support, you end up with a well intended CISO shouting in the wind, people may hear them, but rarely change their behaviors. Make this a personal matter to employees. Security is everyone's responsibility – it may well be a cliché, but it’s the truth.