I'm trying to build a more security-aware culture.  Has anyone successfully embedded security responsibilities in other teams across the business?

602 views2 Upvotes2 Comments

Chief Information Officer in Healthcare and Biotech, 1,001 - 5,000 employees
Security cultures will vary and often are unique to a business culture. Most security programs are deliberate with a set of actions to promote awareness and there are some significant features of successful security cultures.

· Security awareness extends past IT and begins at the top. Senior leaders set the tone and drive cultural change. Making executives aware of the risk to the organization posed by a lack of security awareness is key - Loss of revenue; Reputation damage; Operational disruptions; Intellectual property (IP) theft; and Theft of personally identifiable information (PII).

·  Establish a continuous security training program for all staff. Training staff about safe online computing, strong passwords, and social engineering, will help mold the organization into the first line of cyber defense and ensure the confidentiality of sensitive business data.

· Keep the security program aligned with business objectives. Focus on specific incremental goals rather than trying to achieve too much too fast. Identify the security behaviors that need to be promoted and align those behaviors to business results so that employees can understand the value security has in protecting the overall organization

Most importantly, successful security programs AVOID a culture of blame and fear when it comes to security. Security leaders should empower users with a culture of personal responsibility so staff treat data security in the same way they treat other company policies like health and safety.
Senior Director, Defense Programs in Software, 5,001 - 10,000 employees
Yes, but the key thing here is not adding additional responsibilities to folx across the business without support at all levels. Lots of ideas & strategy on this, and it was a big part of my talk at APCO… here are a few places to start:

First; it obviously needs to be valued from the top. If people taking security seriously don’t get promoted, raises, etc, it’s spitting in the wind and the org is sending conflicting messages.

Next; add enablement factors to support teams across the business & bottom up. This could be consultants & security coaches, could be a team tasked with shifting left & right. But budget and support additional resources to make incremental improvements and enable all.

Finally; invest in security that improves the *experience* for all. Many “security” tactical improvements make things better when they aren’t bolted on, like thorough MFA & SSO means you can relax on the “change challenging password every 30 days” and reduce account friction & also make things quicker to deliver while making them more secure.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
44.6k views132 Upvotes321 Comments

Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
77.5k views72 Upvotes46 Comments

Input from the hiring manager59%

Input from recruiter51%

Job template from internal database50%

Job template from online job descriptions35%

Input from industry professionals27%

Other (please share below)0%


1.7k views1 Upvote