Driving a Culture of Security - Tips For The CIO

Written by

Combating the cybersecurity skills gap both in terms of recruiting quality talent and employee awareness continues to be a top concern for the board.

The threat landscape is constantly evolving, and CIOs from public services to the enterprise are facing a global cyber-skills shortage. A recent report from ISC2 highlighted a lack of over one million trained security-professionals, with the figure forecast to rise to 1.8 million in the next five years. There is no quick fix to solve this problem but the CIO can instill a culture of security to actively tackle the shortfall.

CIOs can deploy the most robust security software on the market, but employees should always be the first line of defense. A recent study from Forcepoint highlighted that 35% of employees across major European countries have been involved in a security breach. More often than not, hackers aren’t the cause of breaches; it’s more likely that an employee has inadvertently shared sensitive information when they shouldn’t or a malicious insider has purposefully leaked data.

A company culture that does not currently value security can take time to change but simple steps are available, that can be especially effective in a short timeframe.

Collaborate with HR and L&D

First and foremost, there needs to be a universal awareness of security policy across the entire organization. The IT department should work closely with the HR and L&D teams to construct robust security policies that can be understood by all employees. It is critical for every employee to know how to prevent themselves from putting the company at risk, whether it is through weak passwords, clicking on unsafe links or using unauthorized personal devices in the office.

Often, security policies will not be refreshed with new threats or re-shared often enough with employees. As best practice, the security policy should be mandatory and circulated around the business at least once a year. On-boarding new joiners and returning employees (from parental leave or a long absence) is also equally important. It should be treated with the same level of importance as health and safety.

Invest in role specific training

Security training should also be role specific. The security needs of a helpdesk worker will be very different to the requirements of a developer. Continuous learning is valuable to ensure that staff keep their skills up to date. Classroom training is expensive to run, and tricky to organize. Given that security threats evolve constantly, companies should consider online on-demand training where the courses are always up to date, and can be taken at convenient times for employees.

Grow your team’s skillset

Many organizations are also starting to invest in ethical hacking skills. This is essentially where someone uses the same techniques of a hacker to identify the weak points in an organization’s cybersecurity, but instead uses that knowledge to improve its defenses.

With the right skills in place, ethical hackers can advise businesses on all aspects of digital security, and make the organization much more resistant to attacks. This advice can range from showing programmers and app developers how to make their code harder to hack, to providing other members of staff with advice on choosing passwords that are harder to guess, or how to spot phishing emails.

Create engaging content

It’s also important to drive awareness of breaches that happen to other firms and governments. Companies I work with, often share a monthly email or intranet feature on a particular aspect of security that’s high on the priority list for the month. You can use a breach in the media to build a story and highlight courses that can be taken to avoid the same mistakes being made in your organization.

If you can, make security training enjoyable. Incentivize the training, for example, by giving employees the chance to win an extra day’s holiday if they complete all of their security courses. The biggest incentive should be: protect the organization and the organization will look after you.

Lead by example

CIOs and CISOs need to live and breathe security. The best CIOs and CISOs take an active interest by blogging about security, sharing insights with their organization and attending the same security awareness courses as their staff.

To create a culture of security, you can’t just expect employees to understand security policy by leaving them to do some training courses. Taking an active interest and leading by example will go a long way to build this culture. If senior management aren’t prepared to take an interest in security, then why would staff?

If the last few years have taught us anything, it’s that cyber-attacks are here to stay. As attacks become increasingly sophisticated, the skillset of employees should follow suit. It is vital that companies look to create a culture of security and arm its staff with the right skills to better protect the business.

What’s hot on Infosecurity Magazine?