How do you build a security-focused culture within IT?

Security should be part of everyone’s job responsibilities within IT. Right when people join, mandatory information security training should make this part of their DNA. We showcase the partnership and joint goals between security and IT operations teams. This brings in joint responsibility whether it’s onboarding, ticket management, vulnerability fixes, incident and change management, internal IT audits etc. as part of shared responsibility and training. I think everybody within IT should feel that they are contributing to security overall to build a security focused culture within IT.

It's a culture shift you have to create by educating people on what it is that you're actually doing. I've found that when we set up something new, a lot of people ask us questions about what we're doing. The first thing they want to know is basically if the company is watching what they post on social media or what they buy on Amazon. They don’t understand that's the least of my worries. My worries are, “Did you accidentally send out something with a bunch of PII to someone you shouldn't have sent it to?” Those are the real concerns, things that create liability for the company, because our entire job is to enable the company to securely be productive. So I think that's the first thing is to get everyone on board and explain what we're looking to do and what we're trying to protect against. This isn't about a big brother situation. I always tell people, "What you do on your computer is a productivity situation between you and your manager. What we do to secure the endpoint, is to protect the company." I like to impress that upon people.