Generally, the chief information security officer (CISO) is thought of as the top executive responsible for information security within organizations. However, in today’s remote work environment, the need to expand security beyond one department or the responsibilities of CISOs is more important than ever. Due to the pandemic, the physical barriers of the office have been removed and the threat surface has exponentially expanded leaving more endpoints to be attacked. In this scenario, each employee’s home office has become a new potential risk, which is why building a strong security culture within organizations should be a priority.
Security behaviors and a shared culture
We continue to see different breaches in the news, from the large-scale Twitter hack to the most recent Instacart account data found on the dark web. These instances, and countless others, are a testament to the critical importance of strong security behaviors - both at work and home - and the training and attentiveness they require.
The shared responsibility in security is closely tied to how employees – at all levels – perceive the importance of security. If this is ingrained within the culture, they will have the abilities and tools to protect themselves. This is, of course, easier said than done.
Creating and maintaining a security culture is a constantly evolving mission. More so, influencing people’s behavior, which can be the most challenging part of all. People have become numb to the security threats they face, and although they understand the potential risks, they don’t do anything about it. For example, in the Psychology of Passwords survey, we found that 91 percent know that using the same password over and over is risky; however, 66 percent do it anyway. So, how do we get through that dissonance and get people engaged in security?
Cue the rest of the C-suite, security comes from the top, down
As security continues to grow in importance – with the global cost of cybercrime rising due to Coronavirus to an estimated $6 trillion annually by 2021 and global spending on cybersecurity expected to reach $123.8 billion this year – organizations absolutely need an executive at the top to vocally and adamantly advocate for security.
CISOs typically lead this charge. They are often tasked with leading a security team and program responsible for protecting all information assets, and ensuring disaster recovery, business continuity and incident response plans are in place and tested. In addition, CISOs and their teams are usually responsible for evaluating new technologies, staying updated on compliance regulations, overseeing identity and access management, communicating risks and security strategies to the C-suite and providing trainings. Today, CISOs are also focusing on protecting a highly distributed workforce as well as customers – whether in office, at home or a mix of both – and the new security challenges and threats that come along with this hybrid environment. That’s why, in this evolving security landscape, it’s more important than ever for other C-suite executives to help promote and drive the organization’s security culture - especially through communications, training and enforcement of best practices.
While CISOs continue to spearhead the development of the organization’s security program and define the security mission and culture, other C-suite executives can vocally support these programs to ensure its integrity throughout the whole process, from vision and development to implementation and ongoing enforcement. The participation of the C-suite can also help CISOs focus on the most important security issues and adjust the program to ensure it is aligned with broader business plans and strategies, thereby helping to get broader support without compromising security.
One likely companion for this type of cross-department alignment is the Chief Operating Officer (COO). As this role typically reports directly to the CEO and is considered to be second in the chain of command, the COO will be able to provide the authority needed to advocate for security and how it can impact employees, customers, products and ultimately the business. This means a good COO today needs to encourage a business culture that supports security efforts thoroughly, while also ensuring security is prioritized at a tactical level.
However, the COO is not the only one that needs to serve as a security advocate. All C-level executives have a critical role to play in establishing a strong security culture. Because of their connections to different stakeholders, they will be able to share diverse insights. For example, the COO can better incorporate input from the board, which is vital to ensuring the CISO understands the company’s risk tolerance which will directly impact innovation and revenue. Others like the Chief Financial Officer (CFO) could share insights into the spending priorities and various obligations needed to protect financial systems and the Chief Human Resources Manager (CHRM) could get valuable data from employees. The CHRM is instrumental when driving the development of the security culture; their level of engagement often determines the overall success of developing a successful security-conscious culture.
Security-conscious C-suite executives will be able to step in to support the CISO’s mission that security needs to be a top priority.
The security conscious company
Behaviors coming from the top will showcase the commitment to the security of the whole company and will give all employees a sense of responsibility in their own role to play.
Whether one works at a company with or without a CISO, it’s crucial that C-suite executives are seen as advocates for security, and that those behaviors translate to all employees. As security continues to grow in importance and the workforce landscape continues to shift due to the pandemic, we need both executives and employees to be focused on making an organization secure.
Building a security culture from the ground up will take time and resources, but in the long run, it will become a critical defense wall to protect employees and the overall company from the growing threat landscape.