• United States




New duties of security executives

Oct 11, 20164 mins
IT LeadershipSecurityTechnology Industry

Building security into enterprise culture from the top down

Book with culture written on its spine
Credit: Thinkstock

I’m a fan of this week’s theme for National Cyber Security Awareness Month, Cyber from the Break Room to the Board Room. What I love about it is the blatant recognition that executives have a duty to both their board and to their employees.

A few weeks ago I interviewed someone who talked about security awareness training, and he told the story of a CSO who threatened that anyone in his company who fell for a social engineering scam would be fired.

In response, the speaker challenged the CSO with a test, asking if he would agree to the same terms for himself. Not surprisingly, the CSO did not accept the challenge. We all know why. 

Each of us is vulnerable because these actors are highly skilled at bamboozling, and that’s why I applaud this week’s theme and the industry leaders I have talked with who have embraced the idea that executives must model the behaviors they want their employees to adopt.

In this two-part series, I’ll share their tips with you. Feel free to comment if you too have helpful suggestions for getting everyone on board with practicing best security habits.

How do you create a culture of cybersecurity in the workplace? Here are a few ideas:

Peter Tran, GM and senior director, worldwide advanced cyber practice, RSA, said there are three ways to get everyone on board.

“1. The pre-employment ‘on-boarding’ process is the most critical window in any organization to educate and embed a business driven security culture for security consciousness aligned to the organization’s specific industry risks. This can vary greatly between banking, healthcare, retail and energy and the orientation process for new hires is the most important gate. 

2. A cyber secure aware employee becomes an extension of an enterprise’s early monitoring and detection capability, and together with security technologies becomes a force multiplier for monitoring for potential breach activity before it happens. Each person becomes a “sensor” at the end point as a user, so imagine hundreds or thousands of secure aware human sensors reporting suspicious activity.

3. Partnerships are key in establishing a successful security awareness and education program as well as ongoing security skills development. Marketing, IT and communications together can play an integral role in branding security as part of the organization’s mission. In addition to the foundational elements of periodic security “refresher” training, driving a business driven security culture should tie security skills competency requirements at multiple levels to whether an employee is granted access to IT systems for their job function. It’s ‘pay to play’, prove your security swagger and you get access!”

Samir Kapuria, senior vice president and general manager, cyber security services at Symantec, said:

Five years ago, Symantec created CyberWar Games as a real-life approach to better understand the threats our customers face on a daily basis. We believe when it comes to security training there’s no better way to learn than by doing.

CyberWar Games gives our employees the opportunity to enter into a safe, simulated, real world-based environment so they can test, practice and develop their security IQ. We enable our employees to walk in the shoes of attackers because if we think about the surface area like an attacker we learn how to operate, evolve and  protect at the velocity of change attackers are executing at. As a result, we become stronger by growing our knowledge base in cyber security. 

There is no one particular way to create a culture of cybersecurity, and there are so many facets that it’s a challenge to cover all of them. But, it’s the duty of the executives to continue to push for a safer culture for the benefit of the business.

Marcelo Pereira, product marketing manager at Flexera Software, said, “CEOs at organizations of all sizes are taking unprecedented interest in the measures that their IT and security teams are putting into place to fend off potentially catastrophic intrusions into their systems by hackers and other malicious actors.”

And in part two of this series, you’ll hear more from other industry leaders on additional measures that can be put in place to effectively advance corporate culture’s acceptance of their security responsibilities.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author