Home

How can IT leaders engage people to take ownership of the security conversation?

From my experience, it's a matter of understanding when people buy in. When people start understanding our concepts, they have buy-in. If they don't understand it well, then it's always on the back burner. It's never a topic that they think about right at the outset. We've seen that within our organization. In the recent past, people were resistant, but when we got them to understand, they'd say, "Oh yeah, sure. I'm on board." And security awareness has also changed. It used to be so watered down. Everybody would go through this training, and for technical professionals or people who've watched it for years and years, it’s boring. Now it's challenging and there are other ways of learning that are more engaging.

Anonymous Author
From my experience, it's a matter of understanding when people buy in. When people start understanding our concepts, they have buy-in. If they don't understand it well, then it's always on the back burner. It's never a topic that they think about right at the outset. We've seen that within our organization. In the recent past, people were resistant, but when we got them to understand, they'd say, "Oh yeah, sure. I'm on board." And security awareness has also changed. It used to be so watered down. Everybody would go through this training, and for technical professionals or people who've watched it for years and years, it’s boring. Now it's challenging and there are other ways of learning that are more engaging.
2 upvotes
Anonymous Author
One of the things that Beth-Anne says, which has challenged myself, is that security shouldn't always be about saying no. It's saying, "We can't do that, but," or, "I don't know if we can do this, but what about that?" That starts to build a partnership; you're building those relationships so that we can bring it forward together. We raise awareness together and partner to determine how we can work this solution in from the beginning. Get security involved in the beginning and we can work together to make us safe, while also making the revenue, products, etc., work more for us.
1 upvotes
Anonymous Author
You do need buy-in and partnership, but I would take it one step further: you need ownership as well. You are part of the business. You own a piece of it. If you call yourself an employee, you have a responsibility to sustain the business, thrive, and prosper. Without having that mindset and underlying background thinking, you can build up goodwill, but the moment something happens, your goodwill collapses. Competitors are always looking for ways to pick on you and deflate your balloon. So you build your foundation so that it's actually solid enough to continue. And that means you need to have ownership interest. Understand that you build security in at the start because it will help the business to prosper and in turn, that helps you.
1 upvotes
Anonymous Author
When leaders in an organization take security seriously, and not just formally endorse it but make it part of every project and engagement, then everyone else takes it more seriously. To the employees, it's really important how the security of the lack of it can endanger the organization, can cripple it and create a negative image that will ultimately lead to fewer sales and less growth. Everyone wants to be part of something bigger, majority of employees wants to be part of the organization growth and want to take an active part in protecting organization assets, they just need to be made aware of the consequences and know that their everyday actions like clicking on the email link or disclosing sensitive info while one the phone with an unknown party can lead to big losses. From the employees perspective, the security team should not be seen as the team that should protect us, but the team that will work together with us to help protect the organization.
0 upvotes