How can IT leaders engage people to take ownership of the security conversation?

2.2k views6 Comments

IT Manager in Services (non-Government), 10,001+ employees
From my experience, it's a matter of understanding when people buy in. When people start understanding our concepts, they have buy-in. If they don't understand it well, then it's always on the back burner. It's never a topic that they think about right at the outset.

We've seen that within our organization. In the recent past, people were resistant, but when we got them to understand, they'd say, "Oh yeah, sure. I'm on board." And security awareness has also changed. It used to be so watered down. Everybody would go through this training, and for technical professionals or people who've watched it for years and years, it’s boring. Now it's challenging and there are other ways of learning that are more engaging.
2 1 Reply
Director of Information Security Assurance, 1,001 - 5,000 employees

I agree with you. In the past our security was very dry. It was kind of boring, so people wanted to ignore it. We had to start engaging with individuals, and find ways of making it fun. I also think that with COVID, working from home has made it more real for them, because it's brought the risk home. That brought security awareness home—maybe not as much as it should be, but I think people are starting to realize that they need to pay attention to this.

Director of Information Security Assurance, 1,001 - 5,000 employees
One of the things that Beth-Anne says, which has challenged myself, is that security shouldn't always be about saying no. It's saying, "We can't do that, but," or, "I don't know if we can do this, but what about that?" That starts to build a partnership; you're building those relationships so that we can bring it forward together. We raise awareness together and partner to determine how we can work this solution in from the beginning. Get security involved in the beginning and we can work together to make us safe, while also making the revenue, products, etc., work more for us.
1 1 Reply
IT Manager in Services (non-Government), 10,001+ employees

I like that you used the word partnership. It is a partnership—it's a back and forth exchange, as opposed to the traditional way, where security was seen as the arm wielding a big stick and forcing people to do things. 

Head of Security and Compliance in Software, 51 - 200 employees
You do need buy-in and partnership, but I would take it one step further: you need ownership as well. You are part of the business. You own a piece of it. If you call yourself an employee, you have a responsibility to sustain the business, thrive, and prosper. Without having that mindset and underlying background thinking, you can build up goodwill, but the moment something happens, your goodwill collapses. Competitors are always looking for ways to pick on you and deflate your balloon. So you build your foundation so that it's actually solid enough to continue. And that means you need to have ownership interest. Understand that you build security in at the start because it will help the business to prosper and in turn, that helps you.
Director of IT in Software, 201 - 500 employees
When leaders in an organization take security seriously, and not just formally endorse it but make it part of every project and engagement, then everyone else takes it more seriously. To the employees, it's really important how the security of the lack of it can endanger the organization, can cripple it and create a negative image that will ultimately lead to fewer sales and less growth. Everyone wants to be part of something bigger, majority of employees wants to be part of the organization growth and want to take an active part in protecting organization assets, they just need to be made aware of the consequences and know that their everyday actions like clicking on the email link or disclosing sensitive info while one the phone with an unknown party can lead to big losses.
From the employees perspective, the security team should not be seen as the team that should protect us, but the team that will work together with us to help protect the organization.

Content you might like

Input from the hiring manager58%

Input from recruiter51%

Job template from internal database51%

Job template from online job descriptions35%

Input from industry professionals27%

Other (please share below)0%


1.8k views1 Upvote

Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
78.4k views72 Upvotes47 Comments