By Gene Fredriksen
On nearly a daily basis, another person is impacted either directly or indirectly by a visible, far-reaching breach. The ultimate danger to any organization with these increasingly frequent breaches is the possibility that consumers could lose faith in an organization, its systems and its ability to protect their information following a breach.
Good privacy and security practices are critical to build consumer trust and confidence. Many organizations are rapidly implementing technology to meet consumer demand, but without consumer trust and confidence, the benefits of this technology will never reach their full potential.
Talk vs. Action
Consider the following organizational goal: “We will provide world-class service for our customers.”
A better goal that integrates security might be: “We will provide secure, world-class service for our customers.”
This seemingly minor shift can have a major impact.
An organization’s security culture contributes to the effectiveness of its information security program. An information security program is more effective when security processes are deeply embedded in the institution’s culture. Security does not have to be at odds with an organizational objective of stellar customer service. It can and should be integrated, but it takes commitment and action across the organization to make a security culture successful.
A culture of security is in place when action replaces rhetoric. Security is easy to talk about but not always easy to do. To determine how your organization measures up, consider whether it does more talking or takes more action.
A Winning Recipe
There is a saying in the security world that just like when making a cake, security is better baked in than smeared on afterward. When an organization introduces new business initiatives such as new service offerings or applications, security must be part of the recipe. Trying to layer or “smear” on security at the end will result in a flawed security model or a system that is slow or difficult to use.
An effective security culture integrates information security into new initiatives from the outset and throughout the life cycles of the program. It is also crucial to ensure that an information security review is completed before any changes are applied to the production environment, and any open issues are resolved.
A culture of security must start at the top. CEOs and boards that understand and support information security usually provide the appropriate resources for developing, implementing and supporting the information security program. The result is a commitment from management and employees to integrate the program into the organization’s lines of business and functions such as vendor management.
Leading by Example
The security culture at a company is just as important, if not more so, as the technology being implemented. The security culture will be a major determinant as to whether a company will survive in today’s ever-increasing threat environment. The culture of a company plays a role in what employees view as important, and security has to be a core value.
Affecting true cultural change takes pragmatic leadership in order for it to permeate day-to-day operations. This type of leader will learn through thoughtful reflection and have the humility to adjust his or her daily security culture behaviors, which is perhaps the most important principle that makes a pragmatic security leader stand out.
A bias for living the security culture with thoughtful reflection on the experience sets the tone for the whole organization. While there are many facets to a successful program, seeing senior management embody the security culture through their words and actions can have a particularly impactful effect on employees.
Making security a part of everyone’s responsibilities is key to instilling a security culture. Including a security component in each employee’s performance review will help achieve this goal. Apathy, silos and self-interests are the enemy of creating a security culture. Security is no longer just the province of the security department and IT.
Providing constant reminders of the importance of security through training, posters, email alerts and presentations reinforces the significance security has for the entire company. Of all the programs you can implement to improve the security of your organization, nothing has a greater return on investment than training and cultural awareness.
Gene Fredriksen is Chief Information Security Strategist at PSCU and is responsible for several strategic functions primarily focused on relating PSCU’s perspective and stance on cyber security to existing clients, prospective clients, consultants and the industry as a whole.