Humans can be a liability when it comes to security if you don’t handle them correctly, but they can also become the strongest link in the chain if you foster the right enterprise-wide security culture, according to a leading consultancy.
John Skipper, director of digital security at PA Consulting, told attendees at Infosecurity Europe today that technology on its own doesn’t work in helping establish the digital trust with customers which is so essential to any modern business.
“Doing things in the digital world is pretty complicated,” he argued. “The threat is evolving; attackers have access to more sophisticated tools and cyber is now a more important channel for fraud.”
Firms are increasingly moving to digital channels, often in conjunction with third parties, which increases their attack surface, and there is more regulatory pressure, Skipper added.
To get staff to do the right thing, IT security bosses must try to get buy-in from senior leadership, including the board – right from the CEO down. This will hopefully have a trickle-down effect as staff see their mentors and managers taking security seriously.
It’s also important to identify and reward good behavior, rather than “kicking people” for mistakes, Skipper claimed.
Creating a positive enterprise-wide security culture also requires IT managers to be able to assess exactly where they are on the journey and how far they can realistically go, as well as reinforcing cultural change as something that "matters."
Aside from senior managers, it’s also important to identify “credible local champions” – those who “get it” – and recruit them to convince their peers that security is important. Each meeting could begin with a quick 30-second “safety and security moment” where these individuals could take stock and point out good or bad security practice in the organization, Skipper suggested.
HR support is also essential to achieving lasting change and the whole program must be well managed and communicated and genuinely engage employees – like any good change program, he concluded.
Skipper’s comments echoed those of Publicis Groupe CISO, Thom Langford, who claimed in a Tuesday panel debate that although it’s difficult to achieve, building the right culture when it comes to security can effect real and long-lasting change, so that security almost becomes second nature to staff.
Even explorer Levison Wood argued during his opening keynote at Infosecurity Europe this year that humans tend to be at the heart of anything that goes wrong with a plan, but that a great team is also an essential prerequisite for success.