I'm trying to build a more security-aware culture. Has anyone successfully embedded security responsibilities in other teams across the business?
Senior Director, Defense Programs in Software, 5,001 - 10,000 employees
Yes, but the key thing here is not adding additional responsibilities to folx across the business without support at all levels. Lots of ideas & strategy on this, and it was a big part of my talk at APCO… here are a few places to start:First; it obviously needs to be valued from the top. If people taking security seriously don’t get promoted, raises, etc, it’s spitting in the wind and the org is sending conflicting messages.
Next; add enablement factors to support teams across the business & bottom up. This could be consultants & security coaches, could be a team tasked with shifting left & right. But budget and support additional resources to make incremental improvements and enable all.
Finally; invest in security that improves the *experience* for all. Many “security” tactical improvements make things better when they aren’t bolted on, like thorough MFA & SSO means you can relax on the “change challenging password every 30 days” and reduce account friction & also make things quicker to deliver while making them more secure.
Content you might like
HR54%
IT30%
They play equal-sized roles14%
508 PARTICIPANTS
Head of Information Security in Services (non-Government), 1,001 - 5,000 employees
In my prior role, M&A was so active that we had a dedicated group for it that comprised both business folks as well as those in IT. I had about four project managers within my corporate security PMO that were strictly ...read moreCTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.Input from the hiring manager59%
Input from recruiter51%
Job template from internal database50%
Job template from online job descriptions35%
Input from industry professionals27%
Other (please share below)0%
557 PARTICIPANTS
· Security awareness extends past IT and begins at the top. Senior leaders set the tone and drive cultural change. Making executives aware of the risk to the organization posed by a lack of security awareness is key - Loss of revenue; Reputation damage; Operational disruptions; Intellectual property (IP) theft; and Theft of personally identifiable information (PII).
· Establish a continuous security training program for all staff. Training staff about safe online computing, strong passwords, and social engineering, will help mold the organization into the first line of cyber defense and ensure the confidentiality of sensitive business data.
· Keep the security program aligned with business objectives. Focus on specific incremental goals rather than trying to achieve too much too fast. Identify the security behaviors that need to be promoted and align those behaviors to business results so that employees can understand the value security has in protecting the overall organization
Most importantly, successful security programs AVOID a culture of blame and fear when it comes to security. Security leaders should empower users with a culture of personal responsibility so staff treat data security in the same way they treat other company policies like health and safety.