Whether you’re a small business, a large business, an academic institution, a non-profit or a government agency, it is now absolutely critical that you weave a fabric of security throughout your organization.
You’ve heard it a thousand times, but it can’t be overstated: Culture is created at the top and trickles down into the organization. Today’s executive leadership must do more than issue edicts and implement tools. They must truly embrace security. Leaders must deeply understand and regularly communicate its importance to the health of the organization.
Executives from all departments in all industries should make it a goal to become educated in security. They don’t need to become experts (yet), but they do need to understand the risks and how to protect their organization against threats.
If you haven’t signed up to attend CyberConnect, do so here.
Tone is Everything
Senior leadership can view security in one of two ways: 1) A necessary evil, or 2) An opportunity to improve and ensure the overall health of the organization. Guess which will cultivate a more secure environment?
When members of the leadership team roll their eyes and lament the fact that they have to facilitate another SOX audit or implement a new round of NIST standards, that attitude becomes infectious. If it’s perceived as a waste of time, that perception will be shared across the organization. And there will be consequences. The most common reason for security framework failure we see is that it wasn’t implemented with the right attitude.
So, consider that standards like NIST, ISO and SOC are actually incredibly valuable security tools that, if not provided by government agencies would cost organizations tens if not hundreds of thousands of dollars to design on their own. Not to mention that without standardization, every approach would be different and virtually none would be sufficiently comprehensive.
These security frameworks weren’t designed to tick a box. They exist to raise the security posture of the organization. For this, we should be grateful rather than derisive.
Frameworks are Valuable Tools
A security framework starts by identifying and evaluating specific categories of risks. It then maps those risks to controls that mitigate against them and illustrates how those controls should be implemented. Controls may be manual, like an individual monitoring a log and taking action as necessary, or they may be automated, like firewalls configured to prevent certain types of traffic.
Centrify provides a meticulous framework designed to assist in raising your identity security profile. Security starts with identity and it's essential they be protected in every way possible.
Security as a Partner
When leadership fails to effectively communicate that the security team is there to protect employees, customers and the business itself (which includes their jobs), people tend to view security teams as sticklers that take their jobs too seriously. They implement rules and that are hard to follow, time consuming and hard to remember.
Not taking the time to educate employees allows for an adversarial relationships to develop between teams. That isn’t healthy, isn’t going to improve your security posture and isn’t going to keep your organization safe. Communicate the value of that team regularly.
A positive trend we’re seeing is internal security organizations partnering with departments like operations and R&D. Leaders in these areas specifically (especially in industries like software) desperately want to be secure.
While department leaders typically understand the technical realities and the tactical necessities required for securing code, operating systems and networks, they require assistance in understanding which risks have been addressed and which haven’t, in gaining a more global view of security and in communicating how their actions help to mitigate risk.
Partnering with an internal security organization makes the entire organization more secure and helps to communicate how each department’s activities fit into the overall scheme. That information is then rolled down to the boots on the ground that are focused on implementing security measures. After all, buy-in is better achieved when individuals know exactly why they're doing what they're doing and they understand the value their actions bring to the organization.
Organizations can learn the impact of data breaches on reputation & share value to companies with our report here.