Security leaders need to foster a culture where their colleagues do more than just follow the rules, according to a CISO panel at Infosecurity Europe.
Creating a security culture is about more than just encouraging people in the business to report incidents, although this remains important. CISOs should also aim to create environments where the business actively looks to work with security teams. This, in turn, means explaining how security helps everyone in the business meet their goals.
“For us, the goal is to have people follow certain behaviors, based on what they know rather than what they have been told,” said Toks Oladuti, CISO at law firm Dentons. “People make these behavior changes more, if they understand why.”
At Dentons, Oladuti carries out regular live, hands-on demonstrations of threats such as phishing attacks. These have proved popular, and colleagues who have seen how easy an attack is – but also how easy it can be to counter them – are more likely to recall the advice and act on it.
At Aston Martin Lagonda, CISO Robin Smith said that collaboration holds the key to better security. Rather than viewing security as an isolated group, he wants the business to come to him earlier in projects.
Smith also actively seeks out feedback, and if feedback results in changes, he will let the person or team who provided the feedback know. He also puts on “digital garage” projects, where colleagues can develop skills, such as protecting themselves online. “We are making sure security is part of the consciousness of the organization,” he said.
At Dentons, Oladuti finds that lawyers are most likely to engage with security if they see that it brings direct benefits to their clients, in winning new business, or to themselves.
“If they don’t see the value to them as a lawyer, or as a person, there is resistance,” he admitted. “It has to help them with their client work, with growing the business, or with their personal security or the security of their family.”
In addition, any programs need to be short, and relevant.
Aston Martin Lagonda’s Smith added that, in a business which is highly focused on design and innovation, there is already interest in new technologies and developments such as AI.
“We push a broad agenda about how cyber can add value to the design process. It will put us ahead of the competition if we can adopt AI really well, as we have done … we need to be adaptive and tolerant of risk if it adds value to the business,” Smith explained.
Nonetheless, a secure culture is not easy to value against financial or other metrics.
“It is very hard to measure,” said Oladuti. “I like to understand the value of what I am doing, but culture is very hard to measure. It is very qualitative – a lot of it is around the engagement we are getting, and that more and more people are reporting [incidents] to us.”
Both CISOs agreed that a culture where colleagues can report security incidents, without fear of punishment, is essential to maintain and improve security.