New duties of security executives

Building security into enterprise culture from the top down

culture
Credit: Thinkstock

I'm a fan of this week's theme for National Cyber Security Awareness Month, Cyber from the Break Room to the Board Room. What I love about it is the blatant recognition that executives have a duty to both their board and to their employees.

A few weeks ago I interviewed someone who talked about security awareness training, and he told the story of a CSO who threatened that anyone in his company who fell for a social engineering scam would be fired.

In response, the speaker challenged the CSO with a test, asking if he would agree to the same terms for himself. Not surprisingly, the CSO did not accept the challenge. We all know why. 

Each of us is vulnerable because these actors are highly skilled at bamboozling, and that's why I applaud this week's theme and the industry leaders I have talked with who have embraced the idea that executives must model the behaviors they want their employees to adopt.

In this two-part series, I'll share their tips with you. Feel free to comment if you too have helpful suggestions for getting everyone on board with practicing best security habits.

How do you create a culture of cybersecurity in the workplace? Here are a few ideas:

Peter Tran, GM and senior director, worldwide advanced cyber practice, RSA, said there are three ways to get everyone on board.

“1. The pre-employment 'on-boarding' process is the most critical window in any organization to educate and embed a business driven security culture for security consciousness aligned to the organization’s specific industry risks. This can vary greatly between banking, healthcare, retail and energy and the orientation process for new hires is the most important gate. 

2. A cyber secure aware employee becomes an extension of an enterprise's early monitoring and detection capability, and together with security technologies becomes a force multiplier for monitoring for potential breach activity before it happens. Each person becomes a "sensor" at the end point as a user, so imagine hundreds or thousands of secure aware human sensors reporting suspicious activity.

3. Partnerships are key in establishing a successful security awareness and education program as well as ongoing security skills development. Marketing, IT and communications together can play an integral role in branding security as part of the organization's mission. In addition to the foundational elements of periodic security "refresher" training, driving a business driven security culture should tie security skills competency requirements at multiple levels to whether an employee is granted access to IT systems for their job function. It's 'pay to play', prove your security swagger and you get access!”

Samir Kapuria, senior vice president and general manager, cyber security services at Symantec, said:

Five years ago, Symantec created CyberWar Games as a real-life approach to better understand the threats our customers face on a daily basis. We believe when it comes to security training there’s no better way to learn than by doing.

CyberWar Games gives our employees the opportunity to enter into a safe, simulated, real world-based environment so they can test, practice and develop their security IQ. We enable our employees to walk in the shoes of attackers because if we think about the surface area like an attacker we learn how to operate, evolve and  protect at the velocity of change attackers are executing at. As a result, we become stronger by growing our knowledge base in cyber security. 

There is no one particular way to create a culture of cybersecurity, and there are so many facets that it's a challenge to cover all of them. But, it's the duty of the executives to continue to push for a safer culture for the benefit of the business.

Marcelo Pereira, product marketing manager at Flexera Software, said, “CEOs at organizations of all sizes are taking unprecedented interest in the measures that their IT and security teams are putting into place to fend off potentially catastrophic intrusions into their systems by hackers and other malicious actors."

And in part two of this series, you'll hear more from other industry leaders on additional measures that can be put in place to effectively advance corporate culture's acceptance of their security responsibilities.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.