In big and small companies alike, security issues are often seen as bureaucratic red tape. In reality, security is a never-ending journey.
For example, when Ford’s Model T hit the market in the early 1900s, it didn’t come with seat belts. These now-ubiquitous safety features didn’t become commonplace in all cars until the 1950s. And it wasn’t until the 1970s that laws were enacted to make seat belts standard in all new cars.
Yet it took a cultural shift in society to convince people to actually use seat belts and make all of those previous efforts worthwhile. Concerning safety and security, the more minds that are focused on solving or preventing problems, the better.
Installing a chief security officer in the C-suite is great. When everyone in the organization understands how certain behaviors can lead to compromised security, as well as what’s being protected in the first place, a culture of compliance is created.
People Are the Foundation of Security
More than 15 billion devices comprise today’s Internet of Things (e.g., cloud-based, machine-to-machine communication, like thermostats or refrigerators connected to the web). With hackers increasingly using these as gateways to access sensitive data, and with more of our workload being processed in the cloud versus traditional information systems and technology, security breaches are now part of our home and work lives.
Unfortunately, it’s impossible to write code that results in perfect security, especially as systems become more connected. Computing firms learned long ago that the best defense is open-source security. However, people are now both the targets and perpetrators of security attacks — sometimes unintentionally.
Businesses can’t expect every one of their employees to fully comprehend how to conquer the botnets of the world, but having sound company security cultures will help.
As a business leader, you can protect your organization by following five steps to foster a culture of compliance:
- Assess your organization’s security. Start with assessments to determine where your company is lacking in security, including a social engineering assessment to gain insight into the weakest points. This will reveal which groups may need more help assimilating into the security culture.
- Enable self-service. Don’t just feed people information about security; provide them with tools, scripts, and processes to assist them in properly accessing data they’re allowed to see. This will also safeguard against accidental disclosures of sensitive information. Department heads should be able to answer general questions, but established processes can show employees where to turn in regard to specific security problems or concerns.
- Market internally. Developing sound security practices may be the domain of security experts, but instilling and reinforcing those practices throughout organizations calls for marketing efforts. Have your marketing team focus on security awareness training sessions, and build a “brand” around best practices that employees can relate to and remember.
- Budget for security. Good security practices can be measured, but not by ROI; they’re necessary costs of doing business based on organizations’ risk profiles. A strong security program should always be part of the budgeting process.
- Define responsibilities. The security head is ultimately responsible for your company’s safety measures, so make sure that person has a seat at the table for critical projects. An effective security officer must be afforded meaningful power to route projects through a secure development life cycle.
Data breaches may be a part of everyday life now, but with a strong security culture, your organization doesn’t have to fall victim. People are your last lines of defense. Arm them with the knowledge and tools they need to keep your company safe, nimble, and competitive.[su_box title=”About Brad Thies” style=”noise” box_color=”#336588″]
Brad Thies is principal at Barr Assurance & Advisory Inc., a risk consulting and compliance firm that provides business performance, information technology, and assurance services to clients across a variety of industries. Thies specializes in helping clients assess, design, and implement processes and controls to meet customer, regulatory, and compliance requirements. Brad is a certified public accountant and a certified information system auditor with more than 10 years of experience in the industry.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.