ra2 studio - Fotolia
Security can be an important market differentiator, especially when there is no real product-based competitive edge, according to Thom Langford, chief information security officer (CISO) at Publicis Groupe.
“Ensure the organisation understands this and embraces a security culture by marketing it internally to evoke a visceral response,” he told the European Identity & Cloud Conference 2016 in Munich.
Security professionals should not merely try to “sell” security, said Langford, but engage everyone in the business by showing them what security means to them.
“Security needs to market itself internally and engage people in the organisation by advising them on how [for example] to secure their Wi-Fi at home, rather than telling them what to do,” he said.
Langford said engaging people to create a security culture is just as important as a security strategy to enable an organisation to stand out from its competitors.
“A security culture will do huge amounts of work on behalf of information security professionals in support of the security strategy,” he said.
He added that organisations should “market security as a lifestyle choice in the same way that car manufacturers do”.
Embedding a security culture
A security culture can be resilient, said Langford, because it changes and evolves over time and will support any strategy in any economic environment. It can also be efficient because it is embedded in all employees, is self-generating and encourages people to check with colleagues.
“Only where there is a security culture will people feel confident enough to ask their colleagues about things such as phishing emails. Where there is no security culture, people tend to focus only on their day-to-day tasks,” he said.
The best way to start and grow a security culture, said Langford, is for security professionals to stop treating people in the organisation like idiots, and instead “treat them like heroes, engage with them, be open and reward and celebrate people whenever they do something good from a security perspective”.
At Publicis, for example, an employee was praised on its internal social media platform for suggesting an address be set up, to which employees could send all emails they suspected of being phishing attempts.
“By saying ‘thank you’ for good ideas it encourages two-way communication and helps make everyone in the organisation a security advocate, rather than focusing on security failings, which discourage people from participating, asking for advice, or admitting mistakes,” said Langford.
At the same time, he added, rather than saying “no” to the business when people are looking to do things in new ways, security professionals should help people in the business to make risk-based decisions.
Finally, said Langford, security professionals should know and understand the desired business outcomes, and make security decisions around, and in support of, those outcomes.
Responding to questions from conference attendees, Langford said a single security culture can work for global organisations, but may require regional ambassadors to help adaption.
“Having a single social networking platform across the organisation is also very helpful because all the security conversations are happening in a single place,” he said.
Read more about security culture
- As organisations today move more data to the cloud, it’s important to cultivate a cloud security culture and enlist a CISO, a new report shows.
- Top-down and siloed attempts to catalogue and control data will inevitably fail, if culture is ignored.
- Building a security culture can shield you from cyber crime.