Skip to footer
Passcode
Modern field guide to security and privacy

Security’s people problem — and how executives can help fix it

Perhaps the greatest power high-level executives and board members have is the ability to change the culture of security in their organizations

|
Joyce Boghosian, The Chertoff Group
Pictured from left to right at this November 18 event in Washington, DC: Deb Fitzgerald, Deltek’s chief information officer, Joanne Martin, the CISO advisory practice lead for Hartman Advisors, Anthony Grieco, security director and trust officer for Cisco, and Adam Isles, Principal, The Chertoff Group (moderator).
  • By Staff

It’s the stuff of nightmares for many chief information security officers (CISOs): one disgruntled employee in the wrong position brings an entire organization to its knees.

While the conversation around cybersecurity risks often revolves around external threats, internal ones are among the greatest companies face. Most of these incidents are accidental, not malicious, says Joanne Martin, the CISO advisory practice lead for Hartman Advisors.

How can companies reduce those accidents?

“Culture” she says, “is your tool to eradicate stupidity.”

Internal security initiatives can often feel like an imposition on employees by a small group of cyber-doomsday cultists within a company.

“We’ve seen a tremendous shift in conversation that is occurring at the senior management and board level,”  says Anthony Grieco, security director and trust officer for Cisco. “They [boards and senior management] are now understanding that technology is going to play a tremendous role in enabling the business from a perspective of products that are actually being delivered to the company’s customers.”

Grieco was speaking on the “Security in the Boardroom” panel at a recent cybersecurity forum held by The Chertoff Group, an advisory firm focused solely on security and risk management.

It’s a sort of “trickle-down theory” of security within companies: If upper-level executives can build security into every conversation, not from a tech perspective, but from a business-impact perspective, it will help tie security to the overarching vision and mission of the company, says Deb Fitzgerald, Deltek’s chief information officer.

Cultural shifts require buy-in at the board level. But it can be difficult for CISOs to communicate to their respective boards why they need to implement certain practices without quoting obscure statistics that boards don’t understand.

“A board needs to designate a member who’s keeping track of security culture. Senior levels can’t abdicate [security responsibility] to the CISO,” says Grieco.

About video ads

Companies also need to be aware of how both board members and employees will absorb the language used to describe a security initiative.

“When you start talking ‘insider threats,’ your employees start thinking you don’t trust them,” says Martin.

Approaching security as a cultural change, rather than an IT initiative helps employees buy into security without feeling like they’re being accused of doing something wrong.

The more employees think about security from a business impact point of view, the less it will feel like a set of arbitrary hurdles obstructing workflow.

Fortunately, thinking through intelligent security culture has benefits for combatting threats within and beyond the organization, says Grieco.

The fundamentals of security apply both internally and externally, says Grieco: “What are you defending? How are you going to do it? What are your failsafes?”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.
editor@csmonitor.com
Subscribe
Mark Sappenfield
Editor

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

Subscribe to insightful journalism

QR Code to Security’s people problem — and how executives can help fix it
Read this article in
https://www.csmonitor.com/World/Passcode/2016/1216/Security-s-people-problem-and-how-executives-can-help-fix-it
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe