From The Desk of the CISO
Developing a “Security Aware Culture”
By Rob Ashcraft, CISO at KeyStone Solutions
An important element of building a robust information security program is to get everyone onboard, that is to have security awareness ingrained into your organization’s culture. Once an organization has created a sound cyber strategy, developed comprehensive security policies, implemented technical and physical controls, the toughest challenge still remains, implementing the administrative controls. This means getting employees to understand how security policies apply to their everyday system use and making the right choices. The best way to achieve the adoption of policies is to make it part of the business culture. Business management authority, Peter Drucker stated, “Culture eats strategy for breakfast.”
The first step in developing a “security aware culture” is true “buy-in” from your organization’s’ executive leadership. When employees hear the executive team talking about the importance and need for consistent security awareness, it will become important to them. When your employees see the executive team exercising good cyber habits, then they will exercise good cyber habits. Conversely, when employees hear the executive team complain about the inconvenience of security measures or bypass security controls because they are too busy, that message will also be loud and clear, “security is not important to this organization.”
It is essential to get the entire organization, top-down, engaged in keeping your systems and data secure. When the leadership is consistently talking about security awareness, discussing different hacking techniques, social engineering methods, and the importance of making right decisions they make while working online, it will foster a “security aware culture.” If the organization and its executives are invested, employees will follow that example and become invested. What is the return on investment? By developing a “security aware culture,” you will cultivate better and consistent user-habits, thus strengthening your organization’s overall security posture.