How to Create a Positive Security Culture

How to Create a Positive Security Culture

How do you create a positive security culture? It's rarely the first concept anyone wants to embrace, yet it's important everyone understands their responsibility. So what do you do, and how do you overcome inevitable roadblocks?

Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Geoff Belknap , CISO, LinkedIn . We welcome our sponsored guest, Jadee Hanson , CISO/CIO for Code42 (acquired by Mimecast) .

Here’s what we discussed.

If you want a security-minded staff, you need to make it personal and be patient. "Cyber needs to become second nature, like looking both ways before you cross the street,” said Lisa Ackerman of 荷商葛蘭素史克藥廠 who advises patience in getting there. “It will take more than once a year cyber training or a monthly phishing test." If you can make people care about their personal security, they’ll start to understand the value of security to the business. "Giving users actionable education related to their homes, family, and friends has been helpful," said Gabe S. ., CISO of PDC TECHNOLOGY, Inc. .

To build a security culture, just build culture first. Find ways to connect with your staff before you begin a conversation about security. "It is about culture in the first place and not simply awareness,” said Christian Borst of Vectra AI . "I could not get developers or security champions to reach out to the security team for help or guidance,” admitted Ashish Rajan ????????♂? of Cloud Security Podcast . “For me, the resolution was to start showing up for their team bbq parties and game days in the office. This connected us as colleagues first and security team second.”

Security culture from the top down. Must the CEO be on board and part of the education on security culture? We know we want them to not be a blocker, but must they be leading awareness and training requirements? “Have the CEO mention security in presentations to the company, including their own personal journey of awareness,” Chris Nolke of Skycrane who warned of consequences of letting someone else lead: “Abdicating leadership from the top makes ‘security culture’ impossible in strict terms."

Listen to their concerns before you tell them what to do. "Meet people at their level - don’t expect them to come to yours,” said Shaun Marion , CISO of 麦当劳 . “Don’t talk to the board about ‘the threat landscape’ unless you are prepared to relate it in business terms." Use criticism of your efforts as a way to improve and let others lead for you. After receiving negative feedback on a training program, Duane Gran of Converge Technology Solutions Corp. was able to turn a detractor into a champion. "I thanked her for taking an interest, asked for her to elaborate and eventually got her involved as a volunteer to help select awareness topics. Sometimes your most vocal critics can become your most vocal champions for the security program."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast , please go ahead and subscribe now.

HUGE thanks to our sponsor, Code42 (acquired by Mimecast)

No alt text provided for this image

Cyber Security Headlines - Week in Review?

Make sure you?register on YouTube ?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter? Sean Kelly .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Phil Beyer , former head of security, Etsy.

Thanks to our Cyber Security Headlines sponsor,? Conveyor

No alt text provided for this image

Coming up in the weeks ahead?on?Super Cyber Friday?we have:

  • We're taking a long break until...
  • [07-21-23] Hacking 5G Security

Save your spot and register for them all now!

[06-19-23] CISO Series Podcast Live in Tel Aviv

No alt text provided for this image

We’ll be?kicking off the CISO Summit TLV 2023 , a six day event, with a live audience recording of?CISO Series Podcast. This is a private invite-only event, but if you’re a CISO/security leader?you can apply ?to be invited to the event. Huge thanks to our hosts,? Team8 , for bringing us out to Tel Aviv.

The full event happens from June 18-23 at the Sheraton, Tel Aviv. We’ll be doing our recording on June 19th, 2023.

Joining me on stage will be? Paul Branley , deputy CISO and director of strategy, innovation and testing,? Lloyds Banking Group . And we’ll have Jesse Whaley , CISO, Amtrak .

Jump in on these conversations?

"The human factor is often the weakest link in cybersecurity. What strategies have you found to be effective in keeping your team informed and engaged in maintaining strong security practices?"?(More here )

"Pinnacle of your career in cyber security"?(More here )

"Company wants to implement AI note taking software for our meetings, how do other feel about this from a security perspective?"?(More here )

What the Heck Is OpenText Doing In Cybersecurity?

Sponsored content

Most people know OpenText as an information management company. But what they don't know is they've been building and acquiring assets in the cybersecurity market. In this video Geoff Bibby , svp, security marketing for OpenText explains their portfolio. They are trying to fill out the threat intelligence spectrum. Check out cyberres.com for additional information.

Watch the video

HUGE thanks to our sponsor, OpenText

No alt text provided for this image

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com .

Interested in sponsorship,?contact me,? David Spark .

Alexander Oddo

Technology Pathfinder

1 年

Great topic David Spark. Another thing to consider is positive reinforcement versus the traditional punitive approach in which companies send people who click on phishing simulations to remedial training so it’s a 1-2 punch of tricking the employee and then punishing them. People need to feel like it’s ok to make a mistake. After all, we’re human and we make mistakes. It’s what you do after the mistake that could make all the difference. That only comes when you’ve fostered a positive cyber culture.

回复
Robert Z.

Security Solutions Architect at EVOTEK managing and mitigating cyber risk for business growth, regulatory compliance, customer commitment, and business investors.

1 年

Hear, hear! Sage counsel “Don’t talk to the board about ‘the threat landscape’ unless you are prepared to relate it in business terms.” And I like to use another quote "This is the way." ??

回复

Loved the security training for "in the moment". Another fantastic episode!

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了