We often think of security as a technology problem. But at its core, security is and always has been a people problem. You can have the fanciest security tools up and running, but if your organization is full of happy clickers, you still have a problem on your hands.
For this reason, the more that security is a part of your company culture, the better off you will be when it comes to standing up to today’s threats. Many companies don’t dedicate someone who specializes solely in security until they have reached a certain level of scale. When the time comes, companies may either hire someone from outside the organization, or — as is often the case these days — move someone in an operations role into a full-time security role.
Whatever your approach, you can’t just ignore security until the day security becomes someone’s full-time job. In fact, if you wait to address this key issue until the first full-timer is in place, you will make that person’s job a whole lot harder. In an era when security talent is tough to come by and tougher to retain, you can’t afford to hand over the Sisyphean task of “creating a security culture” on day one.
Instead, it’s much smarter to lay the groundwork for making security a broad and deep part of your company’s culture early on. If you’re already planning to hire or internally promote a security pro, now’s a good time to start laying this foundation. But even if you are months or years away from this transition, it’s never too early to get started building your security culture — and you’ll make measurable and observable improvements to your security posture as you do.
Start the Conversation
To get started, upper management needs to open up the conversation around security. It’s key to have executive buy-in and to demonstrate how much of a priority security is if you want to build a security-friendly culture. It’s a good idea to hold an all-hands meeting in which the CEO, COO, or someone in the C-suite explains to the organization that you will be taking a more comprehensive and inclusive approach to security going forward and why it’s critical for the business.
This sends a message to the whole company that security is a necessary part of running the business. It’s also an opportunity to emphasize that security isn’t just a way to prevent bad things from happening, but can also be an important business booster — helping to close deals faster, increase market share, drive revenue, and strengthen brand.
This doesn’t need to be delivered via a long PowerPoint deck that your employees will sleep through. In fact, it’s to your benefit to make the conversation as interactive and engaging as possible. You might focus on some recent security breaches that have affected others in your industry, show examples of phishing emails that have been flagged at your company, or introduce some new tools that will help everyone stay more secure (more on that in a moment.) The exact content you cover will depend on your current level of security maturity, and the purpose of the talk should be to get everyone on the same page about what is expected and how the company will treat security moving forward.
Consider Hiring a Consulting Security Expert
You may want to consider bringing in a consulting security expert who can evaluate where you stand today from a security perspective and offer recommendations for how to further button up your posture. You might not have the time or expertise to frame a security roadmap, and this is where outside collaborators can be invaluable. Depending on your organization’s unique needs, this could be a pretty quick project, or it might mean bringing this person in on a monthly retainer basis to help you roll out new security protocols. Either way, hiring someone on a consulting basis before you bring in the first full-time security person can help bridge the gap. Security has a lot of moving parts and there’s a reason that many professionals spend their entire careers focused on just this one area. There’s a lot to learn, and things change quickly. Having an expert on your side for even a little while can help you establish a better baseline, which will make your first full-time security pro’s job much less overwhelming and far more rewarding.
Provide Employee Security Training
Next, you should develop a training program that can be rolled out to all current members of your organization. This should focus on key topics that will help them do their jobs in a more secure manner, knowing that this will mature over time with your roadmap. Many items to go over (email hygiene, phishing awareness, two-factor authentication, workstation security, etc.) will apply to every single employee, but don’t forget to focus on any specific role-based security precautions. For example, developers should understand how to produce and deploy code securely (a massive topic that requires investment and iteration), and HR should be well-versed in how to transmit and store sensitive employment data securely. All current employees should receive this training, and from there you can create a regular onboarding process for new hires.
Open Up the Conversation (and Remove the Blame)
For security to be an ongoing part of your organization’s culture, you need to make sure that the conversation remains positive. It’s important to refrain from blame when someone makes a security mistake. For example, odds are, from time to time, you’re going to learn that someone clicked on a phishing link in an email. Instead of making this a personal issue, use it as an opportunity to remind everyone about red flags to look out for and the best steps to take if they suspect that something’s not right. (For more on this, take a look at our blameless postmortem blog post.)
We also recommend setting up a chat channel dedicated to security and tasking someone on your IT team (or someone with an interest in security) to monitor it. Then, employees have a forum where they can ask questions, submit requests, and call attention to anything they feel might pose a security risk — and receive timely responses from your in-house security experts.
Make Security Everyone’s Responsibility
Hopefully, the steps above will help create an environment in your organization where security is seen as everyone’s responsibility. We’ve written before about why all employees need to be deputized as security ambassadors. Accomplishing this comes down to communicating where an employee’s responsibility toward security lies and arming them with the right tools and techniques to stay safe (whether that’s two-factor authentication, a Slack security channel, or identity management software). If you establish an organization-wide sense of responsibility early on, it will make a full-time security person’s job a whole lot easier, because that person won’t be fighting an uphill battle against your company culture.
Focus on Continuous Improvement
Security is not a “set it and forget it” proposition. It requires ongoing dedication to be successful. Even before you select that first security pro, it’s a good idea to understand your security baseline and identify a series of next steps you can take to ensure continuous improvement. If you can pick off a few items that are doable each month, you will be able to make yourself an unappealing attack target (which, after all, is the goal.)
Final Words . . .
While security can seem overwhelming at the outset, if you focus on increasing awareness and knowledge, instilling responsibility, empowering employees, and continually improving your security posture, you’ll be totally prepared to welcome that first security hire with open arms — and he or she will be thrilled to come on board.