By John McClurg, Chief Security Officer for Global Security Organization, Dell
I’ve often said to security teams I’ve led over the years, “You never want to waste a crisis,” and today’s headlines are filled with one security crisis after another. With high-profile breaches occurring in virtually every type of organization — from retail to healthcare to online dating — data security is top-of-mind for even the most casual users of technology.
As we enter National Cyber Security Awareness Month, these events are useful tools to raise people’s awareness about threats and vulnerabilities that can jeopardize the information they work with every day. Countless studies have shown that data breaches aren’t typically caused by failures of security hardware or software, but by the humans, or the “wetware”, that operate most information systems (the human brain being composed of about 75% water). In other words, even as next-generation firewalls and anti-virus/malware software grow more sophisticated and efficient, they are only as effective as the people who use them (or don’t).
The rising incidents of damaging breaches should serve as a wake-up call that information security must be a shared responsibility across the organization. Future-ready enterprises break through the long-held belief that security is something others (the guns, gates, guards, or geeks) are charged with advancing. Employees, business partners and anyone else with access to sensitive data can no longer think of security as a distasteful cost of doing business. It’s now an indispensable aspect of advancing business prosperity and growth. Just as information technology has reached into the far corners of virtually every enterprise, so too must data security, fostering a culture of business assurance.
Intelligent Risk Taking
This isn’t to say that employees should cower in their cubicles in fear of cybercriminals and the vulnerabilities they could inadvertently expose. Advancing business in the global marketplace today is about intelligent risk taking. Enterprising employees will always feel pressure to get things done, to expedite their efforts, to demonstrate business agility, creating temptation to potentially cut corners on security processes and protocols. But establishing a culture of security helps ensure that expedience is practiced intelligently, and only in light of the latest and best threat data available. Employees need to know how poised an adversary is to strike and what, if any, vulnerabilities or exposure might come as a result.
The key to establishing such a culture is good, clear communication. Not just raising the specter of mere possibilities or “bogeymen” who you think you’re facing, but the actual documented prowess and the nature of the threat. My experience is that when you speak candidly and share real data — not just remote possibilities or probabilities, but real threat data and actualities — people will take it seriously, and their hearts and minds come along quickly. It’s when they don’t believe the threat is real that they’ll cut a corner here or there. Give them clearly articulated, real threat data, and they buy in.
Both the Carrot and Stick
Aristotle said something to the effect that, “He is only virtuous who acts outside of fear of punishment or desire for reward.” Though we believe that humans are evolving, the virtuous employee, in an Aristotelian sense, is not the norm. Humans still learn consequential thinking at an early age, and organizations have both carrots and sticks at their disposal to help establish the necessary culture of information security. Profit sharing, bonuses and other standard measures of business performance clearly serve as a carrot to reward employees. They help communicate that it’s in their mutual best interest to assure that the information assets that generate revenue — and the profits they share in — are properly protected. Profit sharing and performance bonuses can be powerful specters that induce people to refocus their energies and make sure that on a daily basis they’re executing in the smartest way possible.
Conversely, organizations need a repertoire of sticks to emphasize the criticality of information security. If you wantonly choose to disregard critical security protocols that have been shared, and you refuse to engage in processes that are designed for the collective well being, there must be consequences. And when those consequences are made clear and applied, most human beings are smart enough to take note and will benefit. It’s got to be a combination of both carrots and sticks, until human nature changes.
And whether using a carrot or a stick, leadership should find a way to make it personal. Everyone needs to take individual responsibility and have a personal stake in security and compliance. Doing so can help create an army of foot soldiers on the lookout for potential gaps and threats.
Our Interconnected World
Interdependencies between the physical and logical security worlds are growing exponentially. The rigid boundaries of delineated interests are largely gone: where our business lives begin and our private lives end, and vice versa, is no longer clear. The delineations are so porous that a culture truly focused on security has to be one that’s conscious of the openness or connectedness of the world we now live in. That security culture has to be what I call “contextually aware.” It has to embody an understanding of the open nature of our world and be attuned to the way in which unexpected threat vectors might come at us because of that openness.
How are you helping to create a culture of security?