Ask any technical department what their major challenges are concerning cyber security, and it is almost guaranteed that many of them say their number one bugbear is changing the security culture of their organisation.
Too often, says Jayson O’Reilly, director of sales and innovation at DRS, security is perceived as negative, and as a hindrance to organisational growth that confines the execution of core business services. “These sorts of views are creating challenges for information security professionals to get business buy-in, and be able to enforce security-related policies and procedures. This is where developing a security culture comes in. A good place to start is to appoint a ‘champion’, and get support at senior levels to ensure it gets the attention it deserves.”
A “from the top down” strategy is best, as support from the business leaders helps to change the culture, and ensure that security becomes a priority across all the business lines. In this way, a strategy can be developed that justifies the expenditure needed for security initiatives, as business leaders will understand how it aims to protect critical services. “Ultimately, what really helps is if employees and executives all understand what the real impact to the business would be should it fall victim to a breach.”
Another important factor, he says, is understanding the business and its culture. “A security programme must fit with the culture, it can’t be tacked on as an after-thought. In addition, the plan must be simple, and easy for even non-technical staff to understand. This isn’t always easy, as very technical staff might have trouble articulating, and ‘dumbing down’ more technical aspects into layman’s terms. The involvement of HR or marketing can be of assistance here.”
In addition, he says governance and compliance need to be recognised and understood in terms of all the business functions, and all staff need to be able to access these policies, and should be mandated to review them on a regular basis. “Getting employees to review policies can be a daunting task, but there are ways and means to do this, and it is not a bad idea for the company to put some methods in place to validate that staff have actually reviewed them. This could include introducing policy sign-offs, notifying staff via pop ups should they be visiting unsuitable Web pages, and articulating the consequences should they fail to follow the correct procedures.”
According to O’Reilly, another important point to consider is consulting the security team during the initial phases of any new business initiatives, to ensure that potential problems or security concerns will be addressed early on. “It is very ineffective to tack security on as an afterthought, too often a case of closing the stable door once the horse has already bolted. Address security during the early stages of development to save expensive and resource-consuming hassles after the fact.”
Next, he says, comes raising security awareness. “Make sure staff understand how crucial it is to secure the business’ proprietary, confidential and privacy-related data, and drive home the potential consequences of not doing so. Again, the technical team can work with HR to build content that can be used to promote security awareness across the organisation to hep staff fully understand that security is a vital element of the organisation’s fiscal health.”
Again, get marketing involved to develop internal communications and branding that is in line with the organisation’s culture, and drives home what the business is trying to achieve in a user-friendly manner, he says. “Introduce basic security training for staff, and get HR to ensure that it is carried out.”