5 Ways to Create a Bulletproof Security Culture

Brian Stafford

This article was originally published by AlleyWatch

The exponential surge in cyber threats alongside the growing sophistication of techniques employed by hackers has made security a top priority for organizations today. Thus, many companies have turned to the latest technology solutions available to help eliminate any vulnerability that the organization could face'both within and outside of its firewall.

According to IDC, over the next five years, information security technology spending will increase at a CAGR of 8.3%, more than twice the rate of IT spending growth overall. By 2020, companies are likely to invest more than $100 billion on security solutions. Yet, does more technology mean better security, or fewer data breaches? Not necessarily. Just consider the recent phishing attack that led to the release of sensitive Salesforce.com

board materials, which included information on potential M&A targets. In fact, our ability to close the security gap is not as much about the solutions or the protocols as it is the people operating within the organization itself. In short, the world's most advanced'and expensive'technology can be rendered useless if you don't have employees who follow basic security best practices.

In this case, what companies also need to do is create and/or reinforce a security-minded workplace culture. Starting at the top of the organization, board members, c-suite executives and other senior leadership need to set the tone and serve as the example for all other employees to follow. This means breaking old habits and re-writing the rules to ensure all employees'from the mailroom to the boardroom'feel accountable and empowered to eliminate risky behavior.

Here are five ways to get started:

Get Back to Basics

Hackers aren't the only ones behind cyber attacks. In fact, many recent studies have cited both human error and lost/stolen mobile devices as the leading causes of data breaches. As more and more employees work remotely and from their own devices'particularly senior-level executives who travel frequently'it's essential to create or update policies that cater to the modern, mobile workforce. This should cover everything from acceptable use of Wi-Fi connections to protocols for shared workspace or business center use, and everything in-between. Employees should also be notified and trained regularly on remediation procedures in the event that data is lost or potentially compromised.

Reinvent the Org Chart

According to a survey from ISACA and the RSA Conference, only 1 in 7 CISOs report to the CEO'a seemingly small percentage compared to the hype and urgency around cyber security in corporations today. In order to signal to employees, customers and stakeholders alike that security is paramount, the CISO should have a direct link into not just the CEO, but also board-level executives as well'both groups who are becoming more and more accountable for failures that occur under their watch. Additionally, to further demonstrate a unified, company-wide commitment to security, companies should establish a 'task force' of senior-level leaders from technology, HR, finance, marketing and sales. Together, this team can regularly inform the CEO of potential risks; conduct drills designed to identify, manage and mitigate threats and/or loss events; and share responsibility for reinforcing the company's security culture within their individual business lines.

Invest in Education

In an age where hackers will try anything to gain access to private systems and confidential data, one-time or infrequent trainings on a company's security protocols and procedures is highly ineffective. Any company that seeks to have a strong security culture must not only offer robust trainings to all employees'including the c-suite'but also encourage professional development opportunities tailored to their unique focus areas. Everything from industry conferences to independent coursework can help employees become more security aware and prepared to help defend their organizations against the ever-evolving threat landscape.

Incentivize & Reward Wanted Behavior

Any company that wants its employees to live and breathe security needs to give them a reason to do so. While monetary incentives may work, the reality is that most companies lack robust budgets required to payout all employees, and even then, the impact of doing so may be superficial at best. Instead, companies should consider which factors motivate employees at different levels within an organization and design programs accordingly. For example, while the executive team may be more motivated by the financial performance or brand reputation of a company, others, especially those on the first line of defense, may be motivated by career advancement or new job responsibilities. In this case, rewarding security-minded actions as part of one's performance review could be one solution that both encourages participation, as well as reduces real security vulnerabilities the business faces.

Apply the Right Technology

The security technology space is white hot, due in great part to the rapidly evolving cyber security and data protection threats companies face everyday. While there is no question that innovative technology solutions are essential to help companies close security gaps, it's equally important to ensure that the right solutions are applied. For example, following the recent Yahoo data breach, research from Diligent revealed that roughly 1 in 3 U.S. board members use free email service providers (ESPs), including Yahoo, to conduct business. Given the highly sensitive information handled at the board-level, ESPs are vulnerable to hacking and thus, a more secure tool, such as a board portal, may be necessary to protect confidential information and conversations. Breaches can originate from any place in the organization. It's essential that companies take a closer look within individual business lines and determine which solutions can mitigate major risks.

Related Insights
Brian Stafford

Brian Stafford is Chief Executive Officer of Diligent Corporation. Mr. Stafford assumed the role of CEO in March 2015 and is responsible for all day-to-day operations, with a focus on accelerating global growth and incorporating scale into the business in order to seamlessly manage the growth.

Mr. Stafford previously served as a Partner at McKinsey & Company, where he founded and led their Growth Stage Tech Practice. While there, he concentrated on helping Growth Stage Technology companies scale faster and did extensive work with Software-as-a-Service (SaaS) companies, focusing on growth strategy, sales operations and strategy, pricing, international growth strategy and team building. Prior to his tenure at McKinsey, Mr. Stafford was the Founder, President and CEO of CarOrder, a division of Trilogy Software based in Austin, Texas.

Mr. Stafford holds a Master's Degree in Computer Science from the University of Chicago and a BS in Economics from the Wharton School at the University of Pennsylvania. He currently lives in Manhattan.