I'm trying to build a more security-aware culture.  Has anyone successfully embedded security responsibilities in other teams across the business?

Security cultures will vary and often are unique to a business culture. Most security programs are deliberate with a set of actions to promote awareness and there are some significant features of successful security cultures. · Security awareness extends past IT and begins at the top. Senior leaders set the tone and drive cultural change. Making executives aware of the risk to the organization posed by a lack of security awareness is key - Loss of revenue; Reputation damage; Operational disruptions; Intellectual property (IP) theft; and Theft of personally identifiable information (PII). ·  Establish a continuous security training program for all staff. Training staff about safe online computing, strong passwords, and social engineering, will help mold the organization into the first line of cyber defense and ensure the confidentiality of sensitive business data. · Keep the security program aligned with business objectives. Focus on specific incremental goals rather than trying to achieve too much too fast. Identify the security behaviors that need to be promoted and align those behaviors to business results so that employees can understand the value security has in protecting the overall organization Most importantly, successful security programs AVOID a culture of blame and fear when it comes to security. Security leaders should empower users with a culture of personal responsibility so staff treat data security in the same way they treat other company policies like health and safety.

Anonymous Author
Security cultures will vary and often are unique to a business culture. Most security programs are deliberate with a set of actions to promote awareness and there are some significant features of successful security cultures. · Security awareness extends past IT and begins at the top. Senior leaders set the tone and drive cultural change. Making executives aware of the risk to the organization posed by a lack of security awareness is key - Loss of revenue; Reputation damage; Operational disruptions; Intellectual property (IP) theft; and Theft of personally identifiable information (PII). ·  Establish a continuous security training program for all staff. Training staff about safe online computing, strong passwords, and social engineering, will help mold the organization into the first line of cyber defense and ensure the confidentiality of sensitive business data. · Keep the security program aligned with business objectives. Focus on specific incremental goals rather than trying to achieve too much too fast. Identify the security behaviors that need to be promoted and align those behaviors to business results so that employees can understand the value security has in protecting the overall organization Most importantly, successful security programs AVOID a culture of blame and fear when it comes to security. Security leaders should empower users with a culture of personal responsibility so staff treat data security in the same way they treat other company policies like health and safety.
4 upvotes
Anonymous Author
Yes, but the key thing here is not adding additional responsibilities to folx across the business without support at all levels. Lots of ideas & strategy on this, and it was a big part of my talk at APCO… here are a few places to start: First; it obviously needs to be valued from the top. If people taking security seriously don’t get promoted, raises, etc, it’s spitting in the wind and the org is sending conflicting messages. Next; add enablement factors to support teams across the business & bottom up. This could be consultants & security coaches, could be a team tasked with shifting left & right. But budget and support additional resources to make incremental improvements and enable all. Finally; invest in security that improves the *experience* for all. Many “security” tactical improvements make things better when they aren’t bolted on, like thorough MFA & SSO means you can relax on the “change challenging password every 30 days” and reduce account friction & also make things quicker to deliver while making them more secure.
0 upvotes