Security is Everyone's Responsibility

How can CISOs embed a culture of security across their organisation and what does senior leadership want from their CISOs, what are CISOs demanding and is there a disconnect? 

Just as digital is not confined to the technology team nor copywriting to the marketing teams, security is not sole concern of the CISO and their charges: it's a company challenge. Ensuring that the responsibility lies within each individual—as well as the team itself—both underpins the importance of security strategies and protects the businesses' assets from the weakest part of the brand: its employees.

With Lea Sellers moderating this roundtable debate, the speakers include:

• Anahi Santiago, CISO, ChristianaCare
• Mel Reyes, CISO and CIO, Synchrony
• Clare Ward, Digital Strategy and Transformation, @aquila
• Elena Corchero, Founder and Emerging Technologies Evangelist

Defence strategy

The strategy of ‘defence in depth’ incorporates prevention mechanisms as layers in a multi-tiered initiative, with detection and response mechanisms integrated in the same layers, as well as others. While technology plays a key role on multiple levels, another important layer of prevention is the creation of a security awareness culture across the organisation. In fact, insider threats from employees frequently appear in global security reports as a top cause of unintended data breaches.

Establishing a culture of security awareness in an organisation is both as much a mode of operation as it is a mindset. After all, most potentially harmful acts are usually based on routine behaviours such as clicking on a link or email attachment. Consequently, everyone in an organisation needs to adopt this new mindset to help eliminate vulnerabilities as part of a collective effort.

Combined with appointing executives (such as CISOs) who focus specifically on IT and Operational Technology (OT) issues and challenges, awareness programs are instrumental in helping to successfully launch and sustain cybersecurity strategies and programs. By providing the knowledge and tools that help change behaviours, security awareness programs add to every employee’s ability to consciously make more secure decisions.

The importance of security awareness cannot be understated and management needs to emphasise the significance of efforts to promote it across the organisation. This means more than just providing PowerPoint slides or training videos. Awareness is a continual process of constant improvements and adaptation. Programs with dated content that don’t reflect changes in social media policies and bring your own device (BYOD) programs, or those that do not meet compliance regulations, are of little value in today’s environment.

Training tools

New training tools that provide specific direction on best practices are required to help ensure that every employee is better prepared to identify and counter common tactics used by hackers.

Business resilience is not just about recovering from disruption – it’s about anticipating and preventing it. Security awareness programs which change predisposed mindsets are a great place to start. It is important to remember that an effective security awareness program is not just about awareness. It is about defining and reinforcing good habits. To get started, it's a good idea to seek the help of cybersecurity experts to determine how to best implement security awareness programs and practices aimed at better protecting everyone’s valuable data.