Instilling a security-driven culture, from Chicken Little to the Hot Stove Syndrome

Define your organization's culture
Current Job Listings

It’s 2018, so there’s practically a new breach, vulnerability or some other security-related emergency in the news daily. Given the stakes and risks, you’d think that driving a culture of security and fraud awareness would be easy. However, in many cases, it has become more of a challenge than ever before.

Now, of course, if you happen to be in a regulated industry – healthcare, government, or financial industries, for example – you have a significant advantage. Security, and building a culture that supports it, isn’t optional. And there are significant, if not detrimental, financial and legal, penalties for not complying. But, for the rest of us who lack that mandate, we may have obstacles to clear to build that culture.

In this article, we will explore what’s behind the challenges to a security-driven culture, what works and what hasn’t.

The challenges

Employees have security fatigue

The very fact that breaches are becoming a daily occurrence may, in some cases, be having a counter-intuitive effect. Employees have come to expect they’ll happen, and they know that most companies bounce right back after the initial financial hit. Combine this with the general attitude that “we’re going to get breached anyway,” and you can suddenly find yourself having to justify security projects to a greater extent than anticipated. Or you may find that employees just don’t think it’s worth worrying about security in their day-to-day work lives.

The Chicken Little effect

Are you realistic about the risk(s) being presented to your company? Remember, not everything is critical, and using fear as a tactic should only be used in extreme cases. For example, just because there is a new significant vulnerability that doesn’t mean it needs to be an all-hands-on-deck, drop what you’re doing exercise. Before asking your company to take extreme measures, look realistically at the applicability and exposure the risk brings to your company. Ask yourself, what mitigations exist today? What’s the likelihood you will be impacted by this security risk?

Budget constraints and competing priorities

Security should always be a top budgetary priority, but let’s face it, that’s not always the case. We have to compete for the same financial and human resources as everyone else. And, when corporate pressure is focused elsewhere, getting the budget dollars needed to fund even priority security/risk mitigation projects, can be a tough sell. This brings me to my next point: driving security from the top down.

Top-down approach

If security isn’t being supported and advocated from the highest level of leadership, you will forever fight an uphill battle. Unfortunately, if the C-suite doesn’t think of security as a top priority, then security starts to lose out in those everyday budget and priority conflicts.

What works?

What’s in it for me (WIFM)

If you can’t show how your employees’ actions, participation or engagement in security will benefit them, then why would they bother doing it? The best way to answer the WIFM question is with data and facts, or with something your employees can relate to personally. Here’s two examples of why this works:

  • For clients: When explaining why security needs to be involved early in projects, rather than as an afterthought, use data that shows how rework, retesting and delays have been a result of not engaging security early. This of course impacts their budget and ability to meet deadlines. Taken a step further, if this is a customer-facing solution, engaging security early and ensuring all the right security processes, controls and testing are in place will not only avoid potential issues – it becomes a selling point.
  • For colleagues/employees: Looking at an internal example when educating employees about security issues like phishing can make the point that the skills you are teaching them apply well outside the boundaries of the corporate office. These are skills they can and should use at home and teach to their friends and families.

I’m here to help

This one is key. While we can’t always say “yes,” we can become a trusted advisor. Instead of saying “no,” give the business options, understand their priorities and help them meet their goals while keeping security at the forefront. Make it clear that turning to you, even when you can’t give them exactly what they want, yields positive results. In other words, you can’t get to innovation without getting past NO.

Lead from the front

You can’t effect change if you stay behind the scenes. Get visibly involved with the core business, meet customers, be visible and build relationships. Linked tightly with “I’m here to help,” you want to be viewed as approachable and an ally. You can’t do that locked in your office.

Be realistic

This is the counter to the “Chicken Little Syndrome.” We touched on this already, but it bears repeating: Keep the risk and benefits realistic and based on rational assumptions. Use valid data, if possible, to back it up.

Hot Stove Syndrome

People are complicated and can be stubborn. You may be doing all the above right, and yet some people just don’t learn not to touch a hot stove until they get burned. Basically, while no wants to be breached, the reality is sometimes nothing will get everyone’s attention more effectively than a security incident. Afterward, suddenly, security is prioritized, and budget is flowing. Hopefully, if this is the case, it’s a near miss that galvanizes your organization, rather than an actual, significant event. 

We touched on some challenges and approaches, but this is just the tip of the iceberg when it comes to building a security-driven corporate culture. So, get out there, build some relationships, be realistic and try not to get burned!

This article is published as part of the IDG Contributor Network. Want to Join?

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!