Cyber Matters: The Power of the Pledge

By Rob Sloan, cybersecurity research director, WSJ Pro

No amount of training on identifying phishing emails and creating strong passwords guarantees security, though most organizations recognize every little bit helps. However, for an internet security company whose mission is to secure not just its own data, but the data of tens of thousands of enterprise customers and millions of individual consumers, something more is required.

McAfee protects almost half a billion endpoints worldwide, including two-thirds of the world’s 2,000 largest companies and was spun out of Intel Security in April 2017. While the brand is closely associated with cybersecurity, building an internal security-first culture across the enterprise was a task chief executive Chris Young knew was of the utmost importance.

Vision and Values

Mr. Young said the process starts with the company leadership embedding security into the vision and values of the organization.

“Then you must get employees onboard, as well as others outside your organization who will have an impact on your culture. Keep in mind your own employees can be your best defense or your biggest vulnerability when it comes to cyber threats,” he said.

McAfee has a definite security culture advantage over non-security companies in that the majority of its employees live and breathe cybersecurity every day in their jobs. Yet that alone isn’t enough.

“McAfee employees feel proud to work for a company -- and in an industry -- that keeps the world safe,” said Mr. Young. “I wanted to create a culture manifesto that our employees could get behind, celebrate, and truly live--and aspire to.”

Mr. Young described how the leadership team’s initial attempts at writing a mission statement inadvertently produced something more akin to a personal commitment.

“We adapted some of the language to make it bolder and to make the intention crystal clear for anyone saying the words. The Pledge symbolizes this commitment, this purpose, for our employees,’ he said. It reads:

We dedicate ourselves to keeping the world safe from cyber threats. Threats that are no longer limited to the confines of our computers, but are prevalent in every aspect of our connected world. We will not rest in our quest to protect the safety of our families, our communities, and our nations.

All employees were asked to sign the pledge and new employees sign it as part of the onboarding process. But in contrast to signing a corporate IT Acceptable Use Policy, the Pledge is not something that is quickly forgotten about.

“We literally have Pledge on walls around our offices,” said Mr. Young. The Pledge is also on notebooks and badge cards because we want to remind employees that with every step they take comes huge responsibility. We remind our employees that they could be the difference in thwarting a cyber-attack whether for a customer or partner, or for McAfee.”

The simple step of making the Pledge highly visible keeps its importance in the forefront of employees’ minds.

“CEOs should care about this. It’s up to them to set the vision and values of the company, including the visibility and importance of cybersecurity,” Mr. Young said. There is a business imperative for creating a secure culture, he added. Cybercrime costs companies hundreds of billions of dollars annually. Attacks on smaller firms can put them out of business.

Behavioral Change

According to Mr. Young, simply “tweaking your [current] mission or vision statements to add appropriate language” isn’t enough. The goal is to change employee behavior and encourage the company’s supply chain and extended ecosystem to consider their actions. Simply adding the word ‘securely’ will not achieve that outcome.

Organizations must recognize that building a security culture is a long-term commitment and requires ongoing work to reflect both the changing threats and the fact that for most employees in most companies, security is not necessarily a priority. Motivations such as driving revenues, achieving targets and simply trying to get a job done often conflict with operating securely.

Mr. Young foresees incentivizing and rewarding employees for demonstrating secure behaviors, for example reporting a phishing scam to the security team: “Ultimately, you must get to a place where employees adopt a security-first mindset – that means security is embedded in everything your company does – from product design, to assessing partners, to hiring employees.”

Rob Sloan is cybersecurity research director at WSJ Pro. Rob started his career with the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure, before working as response director for a specialist IT security consultancy in London. Rob recently graduated from Carnegie Mellon University's Chief Risk Officer Certificate program.