In your opinion, what are 3 key elements to succeed in a positive security culture, and what tips can you provide to implement change, successfully?
While “positive security culture” may sound like an attempt to glaze over tough issues, this concept is actually integral to the success of organizations if they are to reach security maturity. Here are a few examples of what that means to me and why it matters.
Make employees feel comfortable enough to speak up when threats are apparent
There’s always a desire by security leadership to chastise people who fall for a phishing exercise by firing them or putting them on notice. Organizations where employees don’t fear the security team will speak up if that link they clicked turns out to look suspicious afterwards. Communication and quick action are two principles that stop attackers before they can do any real harm. Create an organization that educates and rewards employees for being vigilant against attacks.
Restrict where it makes sense and not “because we can”
Employees are much more crafty than you’d expect. If you restrict their access to certain web sites or services, they will likely work to get around those roadblocks and by doing so add further risk to your organization. Think about the number of people who utilize Dropbox to make their work life easier. Either you can provide it for them, or you’ll have to just deal with “shadow IT” every day instead.
Focus on important changes, not just easy ones
At a previous job I had, every single time you’d leave your computer unlocked for a minute or two, some jerk would come up and send an email as you to the security team and make a big stink about it. Sure, it’s funny, but it’s mostly just Security Theater. There are plenty of risks to client-side attacks via plugins like Flash and Java, so why not open your co-worker’s browser and check that version number instead of sending out another dumb e-mail?
Positive security culture relies on keeping people motivated to be secure while not belaboring that point. It’s a delicate balance of focus and tact that few companies are able to strike. Next time you’re planning security process and formulating policy for your team, consider these points and maybe bring the right kind of change forward.
To find out more about our panel members visit the biographies page.