In your opinion, what are 3 key elements to succeed in a positive security culture and what tips can you provide to implement change, successfully?
I’ve taken inspiration for my answer from an ex-CISO of mine, Adam Stanley (actually a CIO/CTO by trade, but he bravely took on both roles while recruiting). These are the three elements, known collectively as “TEA”, he worked hardest to embed in the IT and security culture of our organization:
– Empowerment, and
Taking those components and translating them into concrete actions, these are my tips:
– Trust – Bridge the language barrier with superb, accessible coms and security training. This should be tailored for C-Levels, operational staff and in-between groups with distinct sub-cultures. Distrust is a natural response to rules and regulations that are imposed in a language you don’t understand, a sentiment often compounded by weak justifications that make no business or personal sense. By contrast, understanding quashes prejudice and opens the door for respect and trust – essential ingredients when trying to embed constructive consideration of security throughout an organisation.
– Empowerment – Security departments are a lot like legal teams (but often not so well paid, resourced or respected). They mainly have very flat structures, with managers trying to motivate and develop a team of highly qualified peers. You can’t retain these kind of people without giving them the power to use their hard-won knowledge and experience. The dramatic skills shortage in the industry will take care of that.
Consistently demonstrate value-added to the board, welcome challenges to the status quo, soften barriers between layers of management and develop staff to move beyond security silos into business unit aligned roles (if those positions match their particular skill sets). CISOs are going to have to be smart about the way they structure security teams in the future. No one will stay in a job where attempts to improve things are ignored and promotion is never a possibility.
– Accountability – Spend time thrashing out a rock solid risk RACI and confidently communicate security service limitations and dependencies. The biggie? Things WILL break or be broken. Leaving the board in denial about that, confused about risk ownership and clueless about the real complexity and cost of the job, destroys credibility.
How often does a JFDI order get handed down when something is delayed by security concerns? Security is everyone’s responsibility, but the CISO still gets roasted when a known vulnerability is exploited. A vulnerability that is still there because mitigation plans weren’t approved. It’s a typical result of the boom/bust security budget cycle. Incident-generated fear secures funding; then when things are quiet, money is diverted to projects with an easier-to-prove ROI.
If you don’t manage expectations about accountability, that wheel never stops turning. Networks grow unchecked on shaky security foundations. Conversely, if you do embed this awareness, the reputation of the security function will improve dramatically and give everyone a fighting chance to create an effective, longer-term security strategy.
There are many ways to improve security culture, and all of them have people at their heart. If I had to pick one of the three things above to prioritize, it would be accountability. While people don’t see security as their responsibility and don’t understand why it makes business sense, nothing will change.
Sarah Clarke | @S_Clarke22
To find out more about our panel members visit the biographies page.