A company can put together as many technology solutions or policies as it likes, but, in the end, its people are the most important element in information security. If the employees in your organization don’t feel personally invested in improving your organization’s security, your defenses will always be lacking, says Brian McCarthy, CTO, author and guest speaker on the subject of all things cybersecurity.
“To turn your workforce into a team of information security advocates, you need to make security personal to them”
Large or small firms that inspire in their employees a security mindset and personal sense of responsibility for keeping the business secure are definitely on the right track. According to research by Ponemon Institute, the average total cost of a data breach is more than US $3.6 million, and one in four organizations can expect to experience a breach. Also, cybersecurity breaches are only getting larger in terms of the number of files and accounts—and people—affected.
Your business may need to experiment a bit before discovering the secret recipe for turning your team members into information security advocates, but the effort is well worth it. At Cherub we’re taking steps to motivate our global client base to view information security as a priority. We’re continually looking for new ways to engage their staff, so they want to get involved in helping the business adopt and apply best practices.
We educate them to turn their workforce into a team of information security advocates, you need to make security personal to them. This means helping them understand that lax security practices don’t just impact the mat work, they also hit the mat home.
Several years back we begin rolling out to our customer base our “Information Defenders” program. It gamifies security, and is designed to help client employees feel more personally invested in protecting their company and its data and systems. Here are a few things we’ve learned so far from our work on this initiative that you might find useful as you create your own programs, or contact us to learn more.
1. Build your Security Messages into your Culture
Our campaign focuses on educating people using every communication channel in our company—newsletters, posters, intranet sites, town-hall meetings, videos, annual trainings, and more. A multipronged approach to communication helps ensure we reach every employee in the format that speaks personally to them. They need to plainly see that the program you’re promoting isn’t just a mandate from IT or compliance, but a company wide effort supported by business leadership. When professionals observe their leaders and coworkers all striving toward a common goal, they often want to join in. And today, with so much news about data breaches in the spotlight, they can easily see the relevance and value in shoring up security efforts.
2. Forget a ‘One-Size-Fits-All’ Approach
Generic education about security doesn’t work. You need to tailor it, personalize it. That’s why we’re now experimenting with “personas” that represent different types of people in our company. The personas tie back to how people work, and what their roles are. We’ve identified the security risks for each persona—for example, the kinds of phishing an employee in accounting might encounter—and what people who fit those personas can do to help protect the company.
We’re just starting to introduce a person as part of our quarterly security awareness training. But we think they’re going to go a long way toward helping our clients employees make a strong connection between security risks and their day-to-day work experience.
3. Create Chief Information Defenders
We’re now developing a “chief” version of our Information Defenders program where client employees volunteer to take formal, specialized training to understand the security gaps and risks in their specific areas of the business. A Cherub consultant would help them set goals, and once they achieve them, they would earn the designation of a “Chief Information Defender.” The client would recognize their success and provide them with a financial rewards.
The whole idea of this chief program is to encourage employees who are already passionate about information security to learn even more, and then take that knowledge back to their department. They become experts “on the ground,” helping other employees become more security-minded.
4. Get Buy-In at the Top
I am convinced that no information security program will succeed unless a company’s leadership also feels passionate about the cause of improving security, and views it as a critical part of business strategy.
The good news is that top leadership, busy as they are, will likely be receptive. That includes the board of directors. The ‘National Association of Corporate Directors’ (NACD) 2016–2017 Public Company Governance Survey found that almost one-quarter of boards are dissatisfied with the reporting that management provides on cybersecurity. So, there is clearly an opportunity to reach out, and I encourage you to do so sooner than later. You also might want to consider enlisting help from internal audit leadership, given that they already have the ear of senior management and the board.
Information security risks are always changing, so your program must keep changing, too. Most breaches can be prevented if a human does something differently—not clicking on a link, not opening a suspicious attachment, keeping passwords secure, the list goes on. Our job is to equip our employees with relevant knowledge they can use to keep our business secure. Front line defense is ultimately the best offense in keeping your data secure.
For further information contact us at: info@CherubAS.com or call (407) 416-7955
Complete our form and a eBook will be emailed to you shortly.